My misunderstanding, sorry. This is from the existing CA since that's where I
thought the problem would be. Okay, going back and looking at the debug log on
the new server to see if it's more revealing.
--
Bret Wortman
bret.wort...@damascusgrp.com
On Tue, Jun 8, 2021, at 2:27 PM, Rob Crittenden wrote:
> Bret Wortman via FreeIPA-users wrote:
> > I was tailing several logs in /var/log/pki/pki-tomcat/ca/ (debug, system,
> > and transactions) and though the replica installation failed again at the
> > same point, this is what I got from the logs throughout the installation
> > process:
>
> This doesn't seem to show any errors. Reading the pki logs can be
> problematic as it often charges on after an error is encountered so
> subsequent errors are basically red herrings but I don't see anything
> wrong here at all, or I'm missing something.
>
> The IPA installer calls pki-spawn <bunch of options> so not much comes
> back to us. It's a black box. Can you provide the whole debug log,
> out-of-band is fine too. I'd also suggest looking at the debug log on
> the existing CA as it may be part of the communication as well.
>
> rob
>
> >
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: mapping: default
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: required auth methods: [*]
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: anonymous access allowed
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > SecurityDomainResource.getDomainInfo()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No
> > ACL mapping.
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: content-type: null
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: accept: [application/json]
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: response format: application/json
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: according to ccMode,
> > authorization for servlet: securitydomain is LDAP based, not XML {1}, use
> > default authz mgr: {2}.
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > LdapBoundConnFactory: init
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > LdapBoundConnFactory:doCloning true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init
> > begins
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init
> > ends
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: init: before
> > makeConnection errorIfDown is false
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection:
> > errorIfDown false
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket set
> > client auth cert nicknamesubsystemCert cert-pki-ca
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake
> > happened
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP
> > connection with SSL client auth to ipa1.our.net:636
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: initializing with
> > mininum 3 and maximum 15 connections to host ipa1.our.net port 636, secure
> > connection, true, authentication type 2
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum
> > connections by 3
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: new total available
> > connections 3
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: new number of
> > connections 3
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: In
> > LdapBoundConnFactory::getConn()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is
> > connected: true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is
> > connected true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns
> > now 2
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: name: IPA
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: subtype: CA
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - cn=ipa1.our.net:443,cn=CAList,ou=Security
> > Domain,o=ipaca
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - objectClass: top
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - host: ipa1.our.net
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - SecurePort: 443
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - SecureAgentPort: 443
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - SecureAdminPort: 443
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - SecureEEClientAuthPort: 443
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - UnSecurePort: 80
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - Clone: FALSE
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - SubsystemName: CA ipa1.our.net 8443
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - cn: ipa1.our.net:443
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: - DomainManager: TRUE
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: subtype: OCSP
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: subtype: KRA
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: subtype: RA
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: subtype: TKS
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > SecurityDomainProcessor: subtype: TPS
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap
> > connection
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: returnConn:
> > mNumConns now 3
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: Authentication:
> > UID=admin
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: In
> > LdapBoundConnFactory::getConn()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is
> > connected: true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is
> > connected true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns
> > now 2
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > LdapAnonConnFactory::getConn
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]:
> > LdapAnonConnFactory.getConn(): num avail conns now 2
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: returnConn:
> > mNumConns now 3
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake
> > happened
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: returnConn:
> > mNumConns now 2
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: In
> > LdapBoundConnFactory::getConn()
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is
> > connected: true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is
> > connected true
> > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns
> > now 2
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: returnConn:
> > mNumConns now 3
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: In
> > LdapBoundConnFactory::getConn()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is
> > connected: true
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is
> > connected true
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns
> > now 2
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: returnConn:
> > mNumConns now 3
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: In
> > LdapBoundConnFactory::getConn()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is
> > connected: true
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is
> > connected true
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns
> > now 2
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: returnConn:
> > mNumConns now 3
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: AccountResource.login()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: mapping: account
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr,
> > certUserDBAuthMgr]
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: access granted
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > AccountResource.login()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > mapping: account.login
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > principal: admin
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL:
> > certServer.ca.account,login
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS():
> > ACLEntry expressions= user="anybody"
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluating
> > expressions: user="anybody"
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluated
> > expression: user="anybody" to be true
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz:
> > authorization passed
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > access granted
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: AccountResource.login()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: content-type: null
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: accept: [application/json]
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: response format: application/json
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: AccountResource.logout()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: mapping: account
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr,
> > certUserDBAuthMgr]
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > AuthMethodInterceptor: access granted
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > AccountResource.logout()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > mapping: account.logout
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > principal: admin
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL:
> > certServer.ca.account,logout
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS():
> > ACLEntry expressions= user="anybody"
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluating
> > expressions: user="anybody"
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluated
> > expression: user="anybody" to be true
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz:
> > authorization passed
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
> > access granted
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: AccountResource.logout()
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: content-type: null
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: accept: [application/json]
> > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]:
> > MessageFormatInterceptor: response format: application/json
> >
> > It again failed at this point:
> >
> > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> > [1/30]: configuring certificate server instance
> > ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance:
> > Command '/usr/sbin/pkispawn -s CA -f /tmp/tmph2SUT4' returned non-zero exit
> > status 1
> > ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
> > the following files/directories for more information:
> > ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
> > [error] RuntimeError: CA configuration failed.
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipapython.admintool: ERROR CA configuration failed.
> > ipapython.admintool: ERROR The ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for more information
> >
> >
> > Is there another way to transfer or duplicate the CA? We are ultimately
> > planning to shut this box down due to its age, and currently it is the only
> > CA, but it seems to be trying to hang on to its job security... ;-)
> >
> >
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
