À propos

My name is Florence Blanc-Renaud, and I joined Red Hat in 2016 as Software Development and Integration Engineer, in the FreeIPA project. I am specialized in LDAP and Identity Management.

I was previously Software Development Engineer at Oracle, in Oracle Unified Directory team, mainly focusing on OUD integration with Enterprise User Security, a really nice feature of Oracle Database allowing to authenticate to the database with credentials stored in OUD server.

Advertisement

9 thoughts on “À propos”

  1. Salut Florence,
    On avait qq contacts a ton epoque chez Oracle, et comme tu n’as jamais vraiment ete remplacee, je me permet de te contacter directement : est-il possible de creer un environement multi-master replication avec OUD 12c?
    J’arrive a le faire fonctionner dans un sens, mais dans l’autre, la sync est initiee, mais les donnees ne sont pas appliquees?
    S’il te faut plus de details, merci de me contacter

    Like

    1. Bonjour,
      je ne travaille plus du tout sur OUD depuis >2 ans alors il se peut que pas mal de choses aient changé. Cependant, d’après la documentation (https://docs.oracle.com/en/middleware/idm/unified-directory/12.2.1.3/oudag/understanding-oracle-unified-directory-replication-model.html#GUID-BD437943-8081-4A39-A2AA-A29B426093B9), la réplication multi-master est toujours d’actualité :
      Oracle Unified Directory uses a loosely consistent multi-master replication model, which means that all the directory servers within a replication topology can accept read and write operations.

      Je t’invite à poster ta question sur le forum OUD: https://community.oracle.com/community/technology_network_community/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee/content

      Like

  2. Hi Mam,

    Please help me to fix this issue

    Master server: aaa01
    Replica server1: dir01 (currently installing replica server )
    Replica server2: dirus02 (which was a replica server previously that has been removed from replication)

    As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e.

    ipa-replica-install command failed, exception: CalledProcessError: Command ‘/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt’ returned non-zero exit status 255

    ===============================================

    While installing Replica /var/log/ipaclient-install.log
    —————————————————

    2022-08-15T13:52:08Z DEBUG stderr=
    2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com
    2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=
    2022-08-15T13:52:11Z INFO Successfully retrieved CA cert

    Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    Valid From: 2018-04-12 14:15:30
    Valid Until: 2038-04-12 14:15:30

    Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
    Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    Valid From: 2019-01-21 11:54:13
    Valid Until: 2021-01-21 11:54:13

    2022-08-15T13:52:11Z DEBUG Starting external process
    2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h dirpav01-tfln-mdr1-omes.ipa.subdomain.com
    2022-08-15T13:52:15Z DEBUG Process finished, return code=0
    2022-08-15T13:52:15Z DEBUG stdout=
    2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
    Certificate subject base is: O=IPA.SUBDOMAIN.COM

    2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM
    2022-08-15T13:52:15Z DEBUG Starting external process
    2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy
    2022-08-15T13:52:15Z DEBUG Process finished, return code=0
    2022-08-15T13:52:15Z DEBUG stdout=

    ==================================

    While installing replica /var/log/ipareplica-install.log
    ————————————————–

    2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP
    2022-08-15T15:07:11Z DEBUG Loading Index file from ‘/var/lib/ipa/sysrestore/sysrestore.index’
    2022-08-15T15:07:11Z DEBUG Starting external process
    2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
    2022-08-15T15:07:11Z DEBUG Process finished, return code=0
    2022-08-15T15:07:11Z DEBUG stdout=
    2022-08-15T15:07:11Z DEBUG stderr=
    2022-08-15T15:07:11Z DEBUG Starting external process
    2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt
    2022-08-15T15:07:12Z DEBUG Process finished, return code=255
    2022-08-15T15:07:12Z DEBUG stdout=
    2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

    2022-08-15T15:07:12Z DEBUG Traceback (most recent call last):
    File “/usr/lib/python2.7/site-packages/ipaserver/install/service.py”, line 567, in start_creation
    run_step(full_msg, method)
    File “/usr/lib/python2.7/site-packages/ipaserver/install/service.py”, line 557, in run_step

    Observation in Master server(aaa01) ldap database :
    =======================================

    [root@aaa01~]# ldapsearch -D ‘cn=directory manager’ -w XXXXXXXXX | grep “ipaCertSubject”
    ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
    [root@aaa01~]#

    ====================
    We could see this certificate “CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM” in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime

    =================

    In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves

    Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup

    ipaCertIssuerSerial

    ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid certificate]
    ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid certificate retrieves from ipa master while installing ipa replica]

    [root@aaa01]# ipa cert-show

    Serial number: 32
    Issuing CA: ipa
    Certificate: MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCTBEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNpaAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbxq1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w==
    Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
    Subject DNS name: dirus02.ipa.subdomain.com
    Subject UPN: HTTP/dirus02.ipa.subdomain.com@IPA.SUBDOMAIN.COM
    Subject Kerberos principal name: HTTP/dirus02.ipa.subdomain.com@IPA.SUBDOMAIN.COM
    Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    Not Before: Mon Jan 21 11:54:13 2019 UTC
    Not After: Thu Jan 21 11:54:13 2021 UTC
    Serial number: 32
    Serial number (hex): 0x20
    Revoked: True
    Revocation reason: 2
    [root@aaa01~]#

    Like

    1. Hi,
      The ipa-cacert-manage list and del options could have helped but they were introduced in a more recent version (IPA 4.8.5 for del and 4.7.2 for list). You can perform the equivalent operations manually:
      – find the CA certificates (replace dc=ipa,dc=example,dc=com with your base DN):

      ldapsearch -D “cn=directory manager” -W -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com “(&(objectClass=ipaCertificate)(objectClass=pkiCA))”

      This command will return multiple LDAP entries, one for each CA certificate. If you find the entry for the certificate CN=dirus02.ipa.example.com,O=IPA.EXAMPLE.COM (that is not a CA but a server certificate), note the DN and then delete the entry with

      ldapdelete -D cn=directory manager” -W

      When this step is done, you will need to run `ipa-certupdate` on all the IPA servers/clients. Then you can retry the replica installation on dirus02.ipa.example.com

      Liked by 1 person

      1. Hi floblanc,

        Thank you for the reply,

        I have a few queries, can you please clarify

        1. should we run ipa-cert-update on IPA master server also and then after on all IPA replica server and their clients ?

        2. Do we need to consider only one common name i.e. “cn=directory manager” as we have two one is LADP and other one is for HTTP

        dbm:/etc/dirsrv/slapd-IPA-ONMOBILE-COM/
        dbm:/etc/httpd/alias

        ldapsearch -D “cn=directory manager” -W -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com “(&(objectClass=ipaCertificate)(objectClass=pkiCA))”

        Any other common name for HTTP:

        ldapsearch -D “cn=?” -W -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com “(&(objectClass=ipaCertificate)(objectClass=pkiCA))”

        Or else this is the only query to search the ipaCertificate in whole ldap database?

        if i want to search the all occurrence of this invalid certificate in the whole server/database, how can we achieve this

        3. I have a infrastructure with one IPA master and 13 IPA Replicas, if i delete the certificate in IPA Master and run ipa-certupdate, and again run ipa-certupdate on 13 IPA Replica servers, and its clients, i hope there will not be any issue after changes and also pki-tomcatd.target service will be running

        Or do you suggest any other better way without any impact on services further as it is production setup

        Note: As we deleted last time then pki-tomcat.target service was stopped and not started [we didn’t run ipa-certupdate on IPA Master]

        How can we check all occurrence of this invalid certificate in IPA master server

        Like

  3. Hi Florence

    Upon your advice, I have removed the certificate from the IPA master, Now IPA Replica retrieving one certificate from the IPA master as shown below

    Facing another IPA Replica installation error after deleting/removing the certificate from the IPA master server, please help us on this, please let us know any more information required on this

    ==============================
    /var/log/ipaclient-install.log :
    ==============================

    2022-09-01T17:03:00Z DEBUG stderr=
    2022-09-01T17:03:00Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com
    2022-09-01T17:03:01Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=
    2022-09-01T17:03:02Z INFO Successfully retrieved CA cert
    Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
    Valid From: 2018-04-12 14:15:30
    Valid Until: 2038-04-12 14:15:30

    2022-09-01T17:03:02Z DEBUG Starting external process
    2022-09-01T17:03:02Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=subdomain,dc=com -h dirpav01.ipa.subdomain.com -f
    2022-09-01T17:03:07Z DEBUG Process finished, return code=0
    2022-09-01T17:03:07Z DEBUG stdout=
    2022-09-01T17:03:07Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
    Certificate subject base is: O=IPA.SUBDOMAIN.COM

    2022-09-01T17:03:07Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM
    2022-09-01T17:03:07Z DEBUG Starting external process
    2022-09-01T17:03:07Z DEBUG args=/usr/bin/kdestroy
    2022-09-01T17:03:07Z DEBUG Process finished, return code=0
    2022-09-01T17:03:07Z DEBUG stdout=
    2022-09-01T17:03:07Z DEBUG stderr=

    ======================================
    Replica installation without debugging :
    ======================================

    Done configuring ipa-custodia.
    Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
    [1/30]: creating certificate server db
    [2/30]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 30 seconds elapsed
    Update succeeded

    [3/30]: creating ACIs for admin
    [4/30]: creating installation admin user
    [5/30]: configuring certificate server instance
    [6/30]: secure AJP connector
    [7/30]: reindex attributes
    [8/30]: exporting Dogtag certificate store pin
    [9/30]: stopping certificate server instance to update CS.cfg
    [10/30]: backing up CS.cfg
    [11/30]: disabling nonces
    [12/30]: set up CRL publishing
    [13/30]: enable PKIX certificate path discovery and validation
    [14/30]: destroying installation admin user
    [15/30]: starting certificate server instance
    [16/30]: Finalize replication settings
    [17/30]: configure certmonger for renewals
    [18/30]: Importing RA key
    [19/30]: setting audit signing renewal to 2 years
    [20/30]: restarting certificate server
    [21/30]: authorizing RA to modify profiles
    [22/30]: authorizing RA to manage lightweight CAs
    [23/30]: Ensure lightweight CAs container exists
    [24/30]: configure certificate renewals
    [25/30]: configure Server-Cert certificate renewal
    [26/30]: Configure HTTP to proxy connections
    [27/30]: restarting certificate server
    [28/30]: updating IPA configuration
    [29/30]: enabling CA instance
    [30/30]: configuring certmonger renewal for lightweight CAs
    Done configuring certificate server (pki-tomcatd).
    Your system may be partly configured.
    Run /usr/sbin/ipa-server-install –uninstall to clean up.

    ipapython.admintool: ERROR CA did not start in 300.0s
    ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

    ================================
    /var/log/ipareplica-install.log
    ================================

    2022-09-01T14:35:58Z DEBUG response body ‘Apache Tomcat/7.0.76 – Error report HTTP Status 500 – Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception

    javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n

    note The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.Apache Tomcat/7.0.76′
    2022-09-01T14:35:58Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
    2022-09-01T14:35:58Z DEBUG Waiting for CA to start…
    2022-09-01T14:35:59Z DEBUG request POST http://dirpav01.ipa.subdomain.com:8080/ca/admin/ca/getStatus
    2022-09-01T14:35:59Z DEBUG request body ”
    2022-09-01T14:35:59Z DEBUG response status 500
    2022-09-01T14:35:59Z DEBUG response headers Server: Apache-Coyote/1.1^M
    Content-Type: text/html;charset=utf-8^M
    Content-Language: en^M
    Content-Length: 2208^M
    Date: Thu, 01 Sep 2022 14:35:59 GMT^M
    Connection: close^M

    2022-09-01T14:35:59Z DEBUG response body ‘Apache Tomcat/7.0.76 – Error report HTTP Status 500 – Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception

    javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n

    note The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.Apache Tomcat/7.0.76′
    2022-09-01T14:35:59Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
    2022-09-01T14:35:59Z DEBUG Waiting for CA to start…
    2022-09-01T14:36:00Z DEBUG File “/usr/lib/python2.7/site-packages/ipapython/admintool.py”, line 178, in execute
    return_value = self.run()
    File “/usr/lib/python2.7/site-packages/ipapython/install/cli.py”, line 319, in run
    File “/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py”, line 186, in wait_until_running
    raise RuntimeError(‘CA did not start in %ss’ % timeout)

    2022-09-01T14:36:00Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA did not start in 300.0s
    2022-09-01T14:36:00Z ERROR CA did not start in 300.0s
    2022-09-01T14:36:00Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

    =================================
    /var/log/pki/pki-tomcat/ca/debug :
    =================================

    [01/Sep/2022:16:45:21][localhost-startStop-1]: Candidate cert: ocspSigningCert cert-pki-ca
    [01/Sep/2022:16:45:21][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca
    [01/Sep/2022:16:45:21][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca
    [01/Sep/2022:16:45:21][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
    [01/Sep/2022:16:45:21][localhost-startStop-1]: PKIClientSocketListener.handshakeCompleted: begins
    [01/Sep/2022:16:45:21][localhost-startStop-1]: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH
    [01/Sep/2022:16:45:21][localhost-startStop-1]: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
    [01/Sep/2022:16:45:21][localhost-startStop-1]: PKIClientSocketListener.handshakeCompleted: clientIP=10.26.60.179 serverIP=10.26.60.179 serverPort=31746
    [01/Sep/2022:16:45:21][localhost-startStop-1]: SSL handshake happened
    Could not connect to LDAP server host dirpav01.ipa.subdomain.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
    at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:667)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1054)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:960)
    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:566)
    at com.netscape.certsrv.apps.CMS.init(CMS.java:194)
    at com.netscape.certsrv.apps.CMS.start(CMS.java:1461)
    at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
    at javax.servlet.GenericServlet.init(GenericServlet.java:158)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:750)
    Internal Database Error encountered: Could not connect to LDAP server host dirpav01.ipa.subdomain.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
    at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:689)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1054)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:960)
    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:566)
    at com.netscape.certsrv.apps.CMS.init(CMS.java:194)
    at com.netscape.certsrv.apps.CMS.start(CMS.java:1461)
    at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
    at javax.servlet.GenericServlet.init(GenericServlet.java:158)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:750)
    [01/Sep/2022:16:45:21][localhost-startStop-1]: CMS.start(): shutdown server
    [01/Sep/2022:16:45:21][localhost-startStop-1]: CMSEngine.shutdown()

    Like

  4. Hi Florence,

    Done the same and tried installation for multiple times but same issue

    Please find below response inline

    Can you clean up the replica you’re trying to install and start over, then send the most recent logs? Done

    – on the failing replica: ipa-server-install –uninstall -U Done

    – on the master: kinit admin; ipa server-del –force Done

    – on the failing replica: perform the installation with your usual method (either in a 2-step process with ipa-client-install/ipa-replica-install or in a single step with ipa-replica-install). Done with below command

    “ipa-replica-install -n ipa.subdomain.com –hostname=dirpav01.ipa.subdomain.com –server=aaa01.ipa.subdomain.com –realm=IPA.SUBDOMAIN.COM -P admin -w XXXXXXX –no-host-dns –setup-ca –setup-dns –mkhomedir –auto-reverse –no-forwarders”

    -Also provide the timezone of the replica so that we can translate all the timestamps in UTC time.

    4. Time Zone

    [root@dirpav01 ~]# timedatectl

    Local time: Fri 2022-09-02 20:11:53 CEST

    Universal time: Fri 2022-09-02 18:11:53 UTC

    RTC time: Fri 2022-09-02 18:11:52

    Time zone: Europe/Madrid (CEST, +0200)

    NTP enabled: no

    NTP synchronized: yes

    RTC in local TZ: no

    DST active: yes

    Last DST change: DST began at

    Sun 2022-03-27 01:59:59 CET

    Sun 2022-03-27 03:00:00 CEST

    Next DST change: DST ends (the clock jumps one hour backwards) at

    Sun 2022-10-30 02:59:59 CEST

    Sun 2022-10-30 02:00:00 CET

    [root@dirpav01 ~]#

    =======================

    Replica Installation:

    =======================

    [root@dirpav01 ~]# ipa-replica-install -n ipa.subdomain.com –hostname=dirpav01.ipa.subdomain.com –server=aaa01.ipa.subdomain.com –realm=IPA.SUBDOMAIN.COM -P admin -w Adm@onm0# –no-host-dns –setup-ca –setup-dns –mkhomedir –auto-reverse –no-forwarders

    Configuring client side components

    Client hostname: dirpav01.ipa.subdomain.com

    Realm: IPA.SUBDOMAIN.COM

    DNS Domain: ipa.subdomain.com

    IPA Server: aaa01.ipa.subdomain.com

    BaseDN: dc=ipa,dc=subdomain,dc=com

    Skipping synchronizing time with NTP server.

    Successfully retrieved CA cert

    Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM

    Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM

    Valid From: 2018-04-12 14:15:30

    Valid Until: 2038-04-12 14:15:30

    Enrolled in IPA realm IPA.SUBDOMAIN.COM

    Created /etc/ipa/default.conf

    New SSSD config will be created

    Configured sudoers in /etc/nsswitch.conf

    Configured /etc/sssd/sssd.conf

    Configured /etc/krb5.conf for IPA realm IPA.SUBDOMAIN.COM

    trying https://aaa01.ipa.subdomain.com/ipa/json

    [try 1]: Forwarding ‘schema’ to json server ‘https://aaa01.ipa.subdomain.com/ipa/json’

    trying https://aaa01.ipa.subdomain.com/ipa/session/json

    [try 1]: Forwarding ‘ping’ to json server ‘https://aaa01.ipa.subdomain.com/ipa/session/json’

    [try 1]: Forwarding ‘ca_is_enabled’ to json server ‘https://aaa01.ipa.subdomain.com/ipa/session/json’

    Systemwide CA database updated.

    DNS query for dirpav01.ipa.subdomain.com. A failed: The DNS operation timed out after 30.0018370152 seconds

    DNS resolution for hostname dirpav01.ipa.subdomain.com failed: The DNS operation timed out after 30.0018370152 seconds

    Failed to update DNS records.

    Missing A/AAAA record(s) for host dirpav01.ipa.subdomain.com: 10.26.60.179.

    Missing reverse record(s) for address(es): 10.26.60.179.

    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

    [try 1]: Forwarding ‘host_mod’ to json server ‘https://aaa01.ipa.subdomain.com/ipa/session/json’

    Could not update DNS SSHFP records.

    SSSD enabled

    Configured /etc/openldap/ldap.conf

    Configured /etc/ssh/ssh_config

    Configured /etc/ssh/sshd_config

    Configuring ipa.subdomain.com as NIS domain.

    Client configuration complete.

    The ipa-client-install command was successful

    Warning: skipping DNS resolution of host dirpav01.ipa.subdomain.com

    Warning: skipping DNS resolution of host aaa01.ipa.subdomain.com

    Run connection check to master

    Connection check OK

    Configuring NTP daemon (ntpd)

    [1/4]: stopping ntpd

    [2/4]: writing configuration

    [3/4]: configuring ntpd to start on boot

    [4/4]: starting ntpd

    Done configuring NTP daemon (ntpd).

    Configuring directory server (dirsrv). Estimated time: 30 seconds

    [1/42]: creating directory server instance

    [2/42]: enabling ldapi

    [3/42]: configure autobind for root

    [4/42]: stopping directory server

    [5/42]: updating configuration in dse.ldif

    [6/42]: starting directory server

    [7/42]: adding default schema

    [8/42]: enabling memberof plugin

    [9/42]: enabling winsync plugin

    [10/42]: configure password logging

    [11/42]: configuring replication version plugin

    [12/42]: enabling IPA enrollment plugin

    [13/42]: configuring uniqueness plugin

    [14/42]: configuring uuid plugin

    [15/42]: configuring modrdn plugin

    [16/42]: configuring DNS plugin

    [17/42]: enabling entryUSN plugin

    [18/42]: configuring lockout plugin

    [19/42]: configuring topology plugin

    [20/42]: creating indices

    [21/42]: enabling referential integrity plugin

    [22/42]: configuring certmap.conf

    [23/42]: configure new location for managed entries

    [24/42]: configure dirsrv ccache

    [25/42]: enabling SASL mapping fallback

    [26/42]: restarting directory server

    [27/42]: creating DS keytab

    [28/42]: ignore time skew for initial replication

    [29/42]: setting up initial replication

    Starting replication, please wait until this has completed.

    Update in progress, 31 seconds elapsed

    Update succeeded

    [30/42]: prevent time skew after initial replication

    [31/42]: adding sasl mappings to the directory

    [32/42]: updating schema

    [33/42]: setting Auto Member configuration

    [34/42]: enabling S4U2Proxy delegation

    [35/42]: initializing group membership

    [36/42]: adding master entry

    [37/42]: initializing domain level

    [38/42]: configuring Posix uid/gid generation

    [39/42]: adding replication acis

    [40/42]: activating sidgen plugin

    [41/42]: activating extdom plugin

    [42/42]: configuring directory to start on boot

    Done configuring directory server (dirsrv).

    Configuring Kerberos KDC (krb5kdc)

    [1/5]: configuring KDC

    [2/5]: adding the password extension to the directory

    [3/5]: creating anonymous principal

    [4/5]: starting the KDC

    [5/5]: configuring KDC to start on boot

    Done configuring Kerberos KDC (krb5kdc).

    Configuring kadmin

    [1/2]: starting kadmin

    [2/2]: configuring kadmin to start on boot

    Done configuring kadmin.

    Configuring directory server (dirsrv)

    [1/3]: configuring TLS for DS instance

    [2/3]: importing CA certificates from LDAP

    [3/3]: restarting directory server

    Done configuring directory server (dirsrv).

    Configuring the web interface (httpd)

    [1/22]: stopping httpd

    [2/22]: setting mod_nss port to 443

    [3/22]: setting mod_nss cipher suite

    [4/22]: setting mod_nss protocol list to TLSv1.2

    [5/22]: setting mod_nss password file

    [6/22]: enabling mod_nss renegotiate

    [7/22]: disabling mod_nss OCSP

    [8/22]: adding URL rewriting rules

    [9/22]: configuring httpd

    [10/22]: setting up httpd keytab

    [11/22]: configuring Gssproxy

    [12/22]: setting up ssl

    [13/22]: configure certmonger for renewals

    [14/22]: importing CA certificates from LDAP

    [15/22]: publish CA cert

    [16/22]: clean up any existing httpd ccaches

    [17/22]: configuring SELinux for httpd

    [18/22]: create KDC proxy config

    [19/22]: enable KDC proxy

    [20/22]: starting httpd

    [21/22]: configuring httpd to start on boot

    [22/22]: enabling oddjobd

    Done configuring the web interface (httpd).

    Configuring ipa-otpd

    [1/2]: starting ipa-otpd

    [2/2]: configuring ipa-otpd to start on boot

    Done configuring ipa-otpd.

    Configuring ipa-custodia

    [1/4]: Generating ipa-custodia config file

    [2/4]: Generating ipa-custodia keys

    [3/4]: starting ipa-custodia

    [4/4]: configuring ipa-custodia to start on boot

    Done configuring ipa-custodia.

    Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes

    [1/30]: creating certificate server db

    [2/30]: setting up initial replication

    Starting replication, please wait until this has completed.

    Update in progress, 30 seconds elapsed

    Update succeeded

    [3/30]: creating ACIs for admin

    [4/30]: creating installation admin user

    [5/30]: configuring certificate server instance

    [6/30]: secure AJP connector

    [7/30]: reindex attributes

    [8/30]: exporting Dogtag certificate store pin

    [9/30]: stopping certificate server instance to update CS.cfg

    [10/30]: backing up CS.cfg

    [11/30]: disabling nonces

    [12/30]: set up CRL publishing

    [13/30]: enable PKIX certificate path discovery and validation

    [14/30]: destroying installation admin user

    [15/30]: starting certificate server instance

    [16/30]: Finalize replication settings

    [17/30]: configure certmonger for renewals

    [18/30]: Importing RA key

    [19/30]: setting audit signing renewal to 2 years

    [20/30]: restarting certificate server

    [21/30]: authorizing RA to modify profiles

    [22/30]: authorizing RA to manage lightweight CAs

    [23/30]: Ensure lightweight CAs container exists

    [24/30]: configure certificate renewals

    [25/30]: configure Server-Cert certificate renewal

    [26/30]: Configure HTTP to proxy connections

    [27/30]: restarting certificate server

    [28/30]: updating IPA configuration

    [29/30]: enabling CA instance

    [30/30]: configuring certmonger renewal for lightweight CAs

    Done configuring certificate server (pki-tomcatd).

    Your system may be partly configured.

    Run /usr/sbin/ipa-server-install –uninstall to clean up.

    ipapython.admintool: ERROR CA did not start in 300.0s

    ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

    [root@dirpav01 ~]#

    ================================

    /var/log/pki/pki-tomcat/ca/debug

    ================================

    [02/Sep/2022:20:41:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca

    [02/Sep/2022:20:41:02][localhost-startStop-1]: ldapconn/PKISocketFactory.makeSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca

    [02/Sep/2022:20:41:02][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering!

    [02/Sep/2022:20:41:02][localhost-startStop-1]: Candidate cert: ocspSigningCert cert-pki-ca

    [02/Sep/2022:20:41:02][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca

    [02/Sep/2022:20:41:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca

    [02/Sep/2022:20:41:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca

    [02/Sep/2022:20:41:02][localhost-startStop-1]: PKIClientSocketListener.handshakeCompleted: begins

    [02/Sep/2022:20:41:02][localhost-startStop-1]: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH

    [02/Sep/2022:20:41:02][localhost-startStop-1]: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS

    [02/Sep/2022:20:41:02][localhost-startStop-1]: PKIClientSocketListener.handshakeCompleted: clientIP=10.26.60.179 serverIP=10.26.60.179 serverPort=31746

    [02/Sep/2022:20:41:02][localhost-startStop-1]: SSL handshake happened

    Could not connect to LDAP server host dirpav01.ipa.subdomain.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)

    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)

    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)

    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)

    at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:667)

    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1054)

    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:960)

    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:566)

    at com.netscape.certsrv.apps.CMS.init(CMS.java:194)

    at com.netscape.certsrv.apps.CMS.start(CMS.java:1461)

    at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)

    at javax.servlet.GenericServlet.init(GenericServlet.java:158)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)

    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)

    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)

    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)

    at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1218)

    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1174)

    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1066)

    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5377)

    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5669)

    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)

    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)

    at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)

    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)

    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)

    at java.security.AccessController.doPrivileged(Native Method)

    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)

    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)

    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)

    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)

    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

    at java.util.concurrent.FutureTask.run(FutureTask.java:266)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    at java.lang.Thread.run(Thread.java:750)

    Internal Database Error encountered: Could not connect to LDAP server host dirpav01.ipa.subdomain.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)

    at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:689)

    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1054)

    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:960)

    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:566)

    at com.netscape.certsrv.apps.CMS.init(CMS.java:194)

    at com.netscape.certsrv.apps.CMS.start(CMS.java:1461)

    at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)

    at javax.servlet.GenericServlet.init(GenericServlet.java:158)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)

    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)

    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)

    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)

    at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1218)

    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1174)

    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1066)

    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5377)

    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5669)

    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)

    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)

    at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)

    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)

    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)

    at java.security.AccessController.doPrivileged(Native Method)

    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)

    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)

    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)

    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)

    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

    at java.util.concurrent.FutureTask.run(FutureTask.java:266)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    at java.lang.Thread.run(Thread.java:750)

    [02/Sep/2022:20:41:02][localhost-startStop-1]: CMS.start(): shutdown server

    [02/Sep/2022:20:41:02][localhost-startStop-1]: CMSEngine.shutdown()

    [root@dirpav01 ~]#

    ================================

    /var/log/ipareplica-install.log

    ================================

    2022-09-02T18:42:31Z DEBUG response body ‘Apache Tomcat/7.0.76 – Error report HTTP Status 500 – Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception

    javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n

    note The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.Apache Tomcat/7.0.76′

    2022-09-02T18:42:31Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500

    2022-09-02T18:42:31Z DEBUG Waiting for CA to start…

    2022-09-02T18:42:32Z DEBUG request POST http://dirpav01.ipa.subdomain.com:8080/ca/admin/ca/getStatus

    2022-09-02T18:42:32Z DEBUG request body ”

    2022-09-02T18:42:32Z DEBUG response status 500

    2022-09-02T18:42:32Z DEBUG response headers Server: Apache-Coyote/1.1

    Content-Type: text/html;charset=utf-8

    Content-Language: en

    Content-Length: 2208

    Date: Fri, 02 Sep 2022 18:42:32 GMT

    Connection: close

    2022-09-02T18:42:32Z DEBUG response body ‘Apache Tomcat/7.0.76 – Error report HTTP Status 500 – Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception

    javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n

    note The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.Apache Tomcat/7.0.76′

    2022-09-02T18:42:32Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500

    2022-09-02T18:42:32Z DEBUG Waiting for CA to start…

    2022-09-02T18:42:33Z DEBUG request POST http://dirpav01.ipa.subdomain.com:8080/ca/admin/ca/getStatus

    2022-09-02T18:42:33Z DEBUG request body ”

    2022-09-02T18:42:34Z DEBUG response status 500

    2022-09-02T18:42:34Z DEBUG response headers Server: Apache-Coyote/1.1

    Content-Type: text/html;charset=utf-8

    Content-Language: en

    Content-Length: 2208

    Date: Fri, 02 Sep 2022 18:42:34 GMT

    Connection: close

    2022-09-02T18:42:34Z DEBUG response body ‘Apache Tomcat/7.0.76 – Error report HTTP Status 500 – Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception

    javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n

    note The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.Apache Tomcat/7.0.76′

    2022-09-02T18:42:34Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500

    2022-09-02T18:42:34Z DEBUG Waiting for CA to start…

    2022-09-02T18:42:35Z DEBUG request POST http://dirpav01.ipa.subdomain.com:8080/ca/admin/ca/getStatus

    2022-09-02T18:42:35Z DEBUG request body ”

    2022-09-02T18:42:35Z DEBUG response status 500

    2022-09-02T18:42:35Z DEBUG response headers Server: Apache-Coyote/1.1

    Content-Type: text/html;charset=utf-8

    Content-Language: en

    Content-Length: 2208

    Date: Fri, 02 Sep 2022 18:42:35 GMT

    Connection: close

    2022-09-02T18:42:35Z DEBUG response body ‘Apache Tomcat/7.0.76 – Error report HTTP Status 500 – Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception

    javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n

    note The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.Apache Tomcat/7.0.76′

    2022-09-02T18:42:35Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500

    2022-09-02T18:42:35Z DEBUG Waiting for CA to start…

    2022-09-02T18:42:36Z DEBUG File “/usr/lib/python2.7/site-packages/ipapython/admintool.py”, line 178, in execute

    return_value = self.run()

    File “/usr/lib/python2.7/site-packages/ipapython/install/cli.py”, line 319, in run

    return cfgr.run()

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 360, in run

    return self.execute()

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 386, in execute

    for rval in self._executor():

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 431, in __runner

    exc_handler(exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 460, in _handle_execute_exception

    self._handle_exception(exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 450, in _handle_exception

    six.reraise(*exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 421, in __runner

    step()

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 418, in

    step = lambda: next(self.__gen)

    File “/usr/lib/python2.7/site-packages/ipapython/install/util.py”, line 81, in run_generator_with_yield_from

    six.reraise(*exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/util.py”, line 59, in run_generator_with_yield_from

    value = gen.send(prev_value)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 655, in _configure

    next(executor)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 431, in __runner

    exc_handler(exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 460, in _handle_execute_exception

    self._handle_exception(exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 518, in _handle_exception

    self.__parent._handle_exception(exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 450, in _handle_exception

    six.reraise(*exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 515, in _handle_exception

    super(ComponentBase, self)._handle_exception(exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 450, in _handle_exception

    six.reraise(*exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 421, in __runner

    step()

    File “/usr/lib/python2.7/site-packages/ipapython/install/core.py”, line 418, in

    step = lambda: next(self.__gen)

    File “/usr/lib/python2.7/site-packages/ipapython/install/util.py”, line 81, in run_generator_with_yield_from

    six.reraise(*exc_info)

    File “/usr/lib/python2.7/site-packages/ipapython/install/util.py”, line 59, in run_generator_with_yield_from

    value = gen.send(prev_value)

    File “/usr/lib/python2.7/site-packages/ipapython/install/common.py”, line 65, in _install

    for unused in self._installer(self.parent):

    File “/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py”, line 629, in main

    replica_install(self)

    File “/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py”, line 408, in decorated

    func(installer)

    File “/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py”, line 1568, in install

    ca.install(False, config, options, custodia=custodia)

    File “/usr/lib/python2.7/site-packages/ipaserver/install/ca.py”, line 255, in install

    install_step_1(standalone, replica_config, options, custodia=custodia)

    File “/usr/lib/python2.7/site-packages/ipaserver/install/ca.py”, line 391, in install_step_1

    ca.start(‘pki-tomcat’)

    File “/usr/lib/python2.7/site-packages/ipaserver/install/service.py”, line 464, in start

    self.service.start(instance_name, capture_output=capture_output, wait=wait)

    File “/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py”, line 192, in start

    self.wait_until_running()

    File “/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py”, line 186, in wait_until_running

    raise RuntimeError(‘CA did not start in %ss’ % timeout)

    2022-09-02T18:42:36Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA did not start in 300.0s

    2022-09-02T18:42:36Z ERROR CA did not start in 300.0s

    2022-09-02T18:42:36Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

    [root@dirpav01 ~]#

    Sai

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: