Installation of second fails with:
pki-kra-10.3.2-4.fc24.noarch freeipa-server-4.3.90.201606161720GIT9b7c12b-0.fc24.x86_64
2/8]: configuring KRA instance 2016-06-20T14:34:37Z DEBUG Contents of pkispawn configuration file (/tmp/tmp8ifezo): [KRA] pki_security_domain_https_port = 443 pki_security_domain_password = XXXXXXXX pki_security_domain_user = admin-ipa3.example.test pki_issuing_ca_uri = https://ipa3.example.test:443 pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_client_database_dir = /tmp/tmp-d85D2Q pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa3.example.test pki_admin_uid = admin-ipa3.example.test pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.TEST pki_import_admin_cert = True pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=kra,o=ipaca pki_ds_database = ipaca pki_ds_create_new_db = False pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.TEST pki_ssl_server_subject_dn = cn=ipa3.example.test,O=EXAMPLE.TEST pki_audit_signing_subject_dn = cn=KRA Audit,O=EXAMPLE.TEST pki_transport_subject_dn = cn=KRA Transport Certificate,O=EXAMPLE.TEST pki_storage_subject_dn = cn=KRA Storage Certificate,O=EXAMPLE.TEST pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-kra pki_transport_nickname = transportCert cert-pki-kra pki_storage_nickname = storageCert cert-pki-kra pki_share_db = True pki_share_dbuser_dn = uid=pkidbuser,ou=people,o=ipaca pki_security_domain_hostname = ipa4.example.test pki_clone = True pki_clone_pkcs12_path = /tmp/tmpBw6JMm pki_clone_pkcs12_password = XXXXXXXX pki_clone_setup_replication = False pki_clone_uri = https://ipa4.example.test:443
2016-06-20T14:34:37Z DEBUG Starting external process 2016-06-20T14:34:37Z DEBUG args=/usr/sbin/pkispawn -s KRA -f /tmp/tmp8ifezo 2016-06-20T14:37:06Z DEBUG Process finished, return code=1 2016-06-20T14:37:06Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20160620163437.log
Was run on ipa3.example.test
pki-kra-spawn.20160620163437.log:
2016-06-20 16:34:47 pkispawn : INFO ... configuring 'pki.server.deployment.scriptlets.configuration' 2016-06-20 16:34:47 pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/kra 2016-06-20 16:34:47 pkispawn : DEBUG ........... chmod 755 /root/.dogtag/pki-tomcat/kra 2016-06-20 16:34:47 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/kra 2016-06-20 16:34:47 pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/kra/password.conf' 2016-06-20 16:34:47 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/kra/password.conf' 2016-06-20 16:34:47 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf 2016-06-20 16:34:47 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf 2016-06-20 16:34:47 pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf' 2016-06-20 16:34:47 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf' 2016-06-20 16:34:47 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf 2016-06-20 16:34:47 pkispawn : DEBUG ........... chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf 2016-06-20 16:34:47 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-d85D2Q -f /root/.dogtag/pki-tomcat/kra/password.conf' 2016-06-20 16:34:47 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2016-06-20 16:34:47 pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd@pki-tomcat.service' 2016-06-20 16:34:49 pkispawn : DEBUG ........... No connection - server may still be down 2016-06-20 16:34:49 pkispawn : DEBUG ........... No connection - exception thrown: HTTPSConnectionPool(host='ipa3.example.test', port=8443): Max retries exceeded with url: /kra/admin/kra/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f3ac4b14c50>: Failed to establish a new connection: [Errno 111] Connection refused',)) 2016-06-20 16:34:50 pkispawn : DEBUG ........... No connection - server may still be down 2016-06-20 16:34:50 pkispawn : DEBUG ........... No connection - exception thrown: HTTPSConnectionPool(host='ipa3.example.test', port=8443): Max retries exceeded with url: /kra/admin/kra/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f3ac4b14350>: Failed to establish a new connection: [Errno 111] Connection refused',)) 2016-06-20 16:35:05 pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>KRA</Type><Status>running</Status><Version>10.3.2-4.fc24</Version></XMLResponse> 2016-06-20 16:35:06 pkispawn : INFO ....... constructing PKI configuration data. 2016-06-20 16:35:06 pkispawn : INFO ....... configuring PKI configuration data. 2016-06-20 16:37:06 pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://ipa3.example.test:8443/kra/rest/installer/configure 2016-06-20 16:37:06 pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Errors in pushing KRA connector information to the CA: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error"} 2016-06-20 16:37:06 pkispawn : DEBUG ....... Error Type: ParseError 2016-06-20 16:37:06 pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 2016-06-20 16:37:06 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 528, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 384, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3965, in configure_pki_data root = ET.fromstring(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err
KRA debug log:
[20/Jun/2016:16:37:04][http-bio-8443-exec-3]: === Finalization === [20/Jun/2016:16:37:04][http-bio-8443-exec-3]: Updating existing security domain [20/Jun/2016:16:37:04][http-bio-8443-exec-3]: Update security domain using admin interface [20/Jun/2016:16:37:04][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa4.example.test port=443 [20/Jun/2016:16:37:04][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa4.example.test:443/ca/admin/ca/updateDomainXML [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=0 [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: updateSecurityDomain(): Dump contents of updated Security Domain . . . [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa4.example.test:443/ca/admin/ca/getDomainXML [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipa1.example.test</Host><UnSecur ePort>80</UnSecurePort><SecurePort>443</SecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><Clone>FALSE</Clone><SubsystemNa me>CA ipa1.example.test 8443</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipa2.example.test</Host><UnSecurePort>80</UnSecurePort><SecurePort>443</SecurePort><SecureEEClientAuthPort>443</Secur eEEClientAuthPort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><Clone>TRUE</Clone><SubsystemName>CA ipa2.example.test 8443</SubsystemName><DomainManager>TRUE</DomainManager></CA><C A><Host>ipa3.example.test</Host><UnSecurePort>80</UnSecurePort><SecurePort>443</SecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAd minPort><Clone>TRUE</Clone><SubsystemName>CA ipa3.example.test 8443</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipa4.example.test</Host><UnSecurePort>80</UnSecurePort><SecurePort>443</Secure Port><SecureEEClientAuthPort>443</SecureEEClientAuthPort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><Clone>TRUE</Clone><SubsystemName>CA ipa4.example.test 8443</SubsystemName><Do mainManager>TRUE</DomainManager></CA><CA><Host>ipa5.example.test</Host><UnSecurePort>80</UnSecurePort><SecurePort>443</SecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><SecureAgentPort>443</SecureA gentPort><SecureAdminPort>443</SecureAdminPort><Clone>TRUE</Clone><SubsystemName>CA ipa5.example.test 8443</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>5</SubsystemCount></CAList><KRALi st><KRA><Host>ipa4.example.test</Host><UnSecurePort>80</UnSecurePort><SecurePort>443</SecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</Se cureAdminPort><Clone>FALSE</Clone><SubsystemName>KRA ipa4.example.test 8443</SubsystemName><DomainManager>FALSE</DomainManager></KRA><KRA><Host>ipa3.example.test</Host><UnSecurePort>80</UnSecurePort><SecurePort> 443</SecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><Clone>TRUE</Clone><SubsystemName>KRA ipa3.example.test 8443</Subsy stemName><DomainManager>FALSE</DomainManager></KRA><SubsystemCount>2</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList> <SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: updateConnectorInfo(): Transport certificate is being setup in https://ipa3.example.test:443 [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: updateConnectorInfo start [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa3.example.test:443/ca/admin/ca/updateConnector javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:189) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201) at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:476) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:248) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateConnectorInfo(ConfigurationUtils.java:3974) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateConnectorInfo(ConfigurationUtils.java:3967) at org.dogtagpki.server.kra.rest.KRAInstallerService.finalizeConfiguration(KRAInstallerService.java:47) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:226) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:286) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:258) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:277) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) [20/Jun/2016:16:37:06][http-bio-8443-exec-3]: Errors in pushing KRA connector information to the CA: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
Env:
[pvoborni@ipa2 ~]$ ipa server-find --servroles="CA server" --pkey-only --------------------- 5 IPA servers matched --------------------- Server name: ipa1.example.test Server name: ipa2.example.test Server name: ipa3.example.test Server name: ipa4.example.test Server name: ipa5.example.test ---------------------------- Number of entries returned 5 ---------------------------- [pvoborni@ipa2 ~]$ ipa server-find --servroles="KRA server" --pkey-only -------------------- 1 IPA server matched -------------------- Server name: ipa4.example.test ---------------------------- Number of entries returned 1 ----------------------------
CA debug log snippet from ipa3.example.test:
[20/Jun/2016:16:35:02][localhost-startStop-1]: LdapAuthInfo: init begins [20/Jun/2016:16:35:02][localhost-startStop-1]: LdapAuthInfo: init ends [20/Jun/2016:16:35:02][localhost-startStop-1]: init: before makeConnection errorIfDown is true [20/Jun/2016:16:35:02][localhost-startStop-1]: makeConnection: errorIfDown true [20/Jun/2016:16:35:02][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca Could not connect to LDAP server host ipa3.example.test port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568)
This is caused by the inclusion of CA signing certificate in the PKCS #12 for KRA clone which causes the trust flags of the CA signing certificate in the clone's NSS database to be overwritten.
To fix the problem PKI will be fixed to ignore the CA signing certificate in PKCS #12 file if it already exists in the NSS database: https://fedorahosted.org/pki/ticket/2374
In the future IPA can be fixed not to include the CA signing certificate into the PKCS #12 file.
PKI ticket #2374 has been fixed. Please change the dependency to PKI 10.3.4.
PKI dependency was already raised to 10.3.4 in "Set default OCSP URI on install and upgrade" patch: 45daffa
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.