When installing IPA 4.0.4 with last DS branch, CS fails to start with the following messages
... [25/26]: configure Server-Cert certificate renewal [26/26]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). CA did not start in 300.0s
PKI version is
pki-base-10.2.0-3.fc20.noarch dogtag-pki-server-theme-10.1.1-1.fc20.noarch pki-ca-10.2.0-3.fc20.noarch pki-server-10.2.0-3.fc20.noarch pki-tools-10.2.0-3.fc20.x86_64 pki-kra-10.2.0-3.fc20.noarch
This ticket is linked with IPA ticket https://fedorahosted.org/freeipa/ticket/4666
Our current workaround is to set
dn: cn=encryption,cn=config sslVersionMin: tls1
in dse.ldif of the LDAP server instance. However, we should be able to force TLS 1.2 where possible, so any effort from Dogtag team side to find out what prevents that on Java side is really appreciated.
Replying to [comment:2 abbra]:
Our current workaround is to set dn: cn=encryption,cn=config sslVersionMin: tls1 in dse.ldif of the LDAP server instance. However, we should be able to force TLS 1.2 where possible, so any effort from Dogtag team side to find out what prevents that on Java side is really appreciated.
Some modifications are likely needed to ldapjdk to allow it to use the newer JSS code for TLS 1.1 and greater.
Also CCing Honza. AFAIU, JSS is about to be updated to handle TLS 1.1+.
These are the tested done on F20 with latest jss and tomcatjss updates. They do not prevent (by themself) the failure during IPA install.
Those updates were suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1158410
Freeipa version: is ipa-4-0 branch (Nov 4th) DS version: is master branch (Nov 3rd) jss-4.2.6-35.fc20.x86_64 389-ds-base-2014_11_03-1.fc20.x86_64 tomcatjss-7.1.1-1.fc20.noarch pki-server-10.2.0-3.fc20.noarch freeipa-server-4.0.4GITc55f153-0.fc20.x86_64 ... [24/26]: configure RA certificate renewal [25/26]: configure Server-Cert certificate renewal [26/26]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). CA did not start in 300.0s tail -100 /var/log/pki/pki-tomcat/ca/debug [04/Nov/2014:03:58:24][localhost-startStop-1]: CMSEngine: ready to init id=dbs [04/Nov/2014:03:58:24][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=false [04/Nov/2014:03:58:24][localhost-startStop-1]: LdapBoundConnFactory: init [04/Nov/2014:03:58:24][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [04/Nov/2014:03:58:24][localhost-startStop-1]: LdapAuthInfo: init() [04/Nov/2014:03:58:24][localhost-startStop-1]: LdapAuthInfo: init begins [04/Nov/2014:03:58:24][localhost-startStop-1]: LdapAuthInfo: init ends [04/Nov/2014:03:58:24][localhost-startStop-1]: init: before makeConnection errorIfDown is true [04/Nov/2014:03:58:24][localhost-startStop-1]: makeConnection: errorIfDown true [04/Nov/2014:03:58:24][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [04/Nov/2014:03:58:24][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host vm-043.xxx.xx.xxx port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1267) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1192) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:670) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) [04/Nov/2014:03:58:24][localhost-startStop-1]: CMSEngine.shutdown() [04/Nov/2014:03:58:24][localhost-startStop-1]: LogFile:In log shutdown [04/Nov/2014:03:58:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [04/Nov/2014:03:58:24][localhost-startStop-1]: LogFile:In log shutdown [04/Nov/2014:03:58:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [04/Nov/2014:03:58:40][http-bio-8443-exec-2]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}.
I believe this is taken cared of by https://fedorahosted.org/pki/ticket/1206 TLS range support: code change needed for cs when acting as client
Metadata Update from @tbordaz: - Issue set to the milestone: 10.2.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1759
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.