I've tried installing in two different waysfirst as a part of full replica install. IE ipa-replica-install --setup-ca --no-forwarders -p <password> replica.gpg this failed on step 8 [8/27]: starting certificate server instanceipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500 I then tried installing just the replica (no --setup-ca option) which succeeded and then ipa-ca-install -w -p replica.gpg which again failed with the same error ca/debug log shows the following when I grep for errors [22/Aug/2017:17:01:06][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://server1:443, securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true, cloneUri=https://server1:443, subsystemName=CA server2 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=server2, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@8ffc78b], issuingCA=https://server1:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=True, subordinateSecurityDomainName=null, reindexData=False, startingCrlNumber=0, createSigningCertRecord=true, signingCertSerialNumber=1][22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start host=server1 adminPort=443 eePort=443[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST https://server1:443/ca/admin/ca/updateNumberRange%5B22/Aug/2017:17:01:07%5D%...]: updateNumberRange(): status=0[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start host=server1 adminPort=443 eePort=443[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST https://server1:443/ca/admin/ca/updateNumberRange%5B22/Aug/2017:17:01:07%5D%...]: updateNumberRange(): status=0[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start host=server1 adminPort=443 eePort=443[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST https://server1:443/ca/admin/ca/updateNumberRange%5B22/Aug/2017:17:01:07%5D%...]: updateNumberRange(): status=0[22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:01:09][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:01:09][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:08][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:08][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:09][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:09][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:09][http-bio-8443-exec-3]: enableReplication: Failed to modify cn=replica,cn="o=ipaca",cn=mapping tree,cn=config entry. Exception: netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:02:51][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:51][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is true[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown true[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - IECUserRoles[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68) this has failed on every Centos 7 and Fedora 26 server that we have available so doesn't seem like problem with particular versions. Can someone please suggest as to what the problem might be here.
pgb205 via FreeIPA-users wrote:
I've tried installing in two different ways first as a part of full replica install. IE ipa-replica-install --setup-ca --no-forwarders -p <password> replica.gpg this failed on step 8 [8/27]: starting certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
I then tried installing just the replica (no --setup-ca option) which succeeded and then ipa-ca-install -w -p replica.gpg which again failed with the same error
ca/debug log shows the following when I grep for errors [22/Aug/2017:17:01:06][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://server1:443, securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true, cloneUri=https://server1:443, subsystemName=CA server2 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=server2, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@8ffc78b], issuingCA=https://server1:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=True, subordinateSecurityDomainName=null, reindexData=False, startingCrlNumber=0, createSigningCertRecord=true, signingCertSerialNumber=1] [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start host=server1 adminPort=443 eePort=443 [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST https://server1:443/ca/admin/ca/updateNumberRange [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange(): status=0 [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start host=server1 adminPort=443 eePort=443 [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST https://server1:443/ca/admin/ca/updateNumberRange [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange(): status=0 [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start host=server1 adminPort=443 eePort=443 [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST https://server1:443/ca/admin/ca/updateNumberRange [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange(): status=0 [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:08][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:08][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:09][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:09][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:09][http-bio-8443-exec-3]: enableReplication: Failed to modify cn=replica,cn="o=ipaca",cn=mapping tree,cn=config entry. Exception: netscape.ldap.LDAPException: error result (68) [22/Aug/2017:17:02:51][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:51][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20) [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is true [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown true [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown false [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is true [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown true [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown false [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - IECUserRoles [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false [22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68) [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)
this has failed on every Centos 7 and Fedora 26 server that we have available so doesn't seem like problem with particular versions.
A 500 suggests that the CA on the master you are creating a replica to is down or limping along.
Can someone please suggest as to what the problem might be here.
It would help if you said which debug log this is from, the master you are installing or the existing master you are connecting to. I think this is from the replica.
You want to look at the debug log on the other side because that is likely where things are failing.
rob
Rob, this is from replica. I have sent you logs from master in private.
thank you
Rob, sorry to nag but did you hear anything from dogtag developers? Or instead of bothering you can I deal with them directly, maybe? thank you
From: Rob Crittenden rcritten@redhat.com To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: pgb 205 pgb205@yahoo.com Sent: Thursday, August 24, 2017 10:27 AM Subject: Re: [Freeipa-users] Re: CA install fails
pgb 205 via FreeIPA-users wrote:
Rob, this is from replica. I have sent you logs from master in private.
Yeah, I didn't see anything in them and have asked for some input from one of the dogtag developers.
rob
pgb205 wrote:
Rob, sorry to nag but did you hear anything from dogtag developers? Or instead of bothering you can I deal with them directly, maybe?
The lurk here as well.
rob
thank you
*From:* Rob Crittenden rcritten@redhat.com *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* pgb 205 pgb205@yahoo.com *Sent:* Thursday, August 24, 2017 10:27 AM *Subject:* Re: [Freeipa-users] Re: CA install fails
pgb 205 via FreeIPA-users wrote:
Rob, this is from replica. I have sent you logs from master in private.
Yeah, I didn't see anything in them and have asked for some input from one of the dogtag developers.
rob
freeipa-users@lists.fedorahosted.org