Closed pki-bot closed 4 years ago
pki-bot
commented
4 years ago Comment from abbra (@abbra) at 2014-11-03 17:16:58
Our current workaround is to set
dn: cn=encryption,cn=config
sslVersionMin: tls1in dse.ldif of the LDAP server instance. However, we should be able to force TLS 1.2 where possible, so any effort from Dogtag team side to find out what prevents that on Java side is really appreciated.
pki-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2014-11-04 01:34:38
Replying to [comment:2 abbra]:
Our current workaround is to set
dn: cn=encryption,cn=config sslVersionMin: tls1in dse.ldif of the LDAP server instance. However, we should be able to force TLS 1.2 where possible, so any effort from Dogtag team side to find out what prevents that on Java side is really appreciated.
Some modifications are likely needed to ldapjdk to allow it to use the newer JSS code for TLS 1.1 and greater.
pki-bot
commented
4 years ago Comment from mkosek (@mkosek) at 2014-11-04 09:56:22
Also CCing Honza. AFAIU, JSS is about to be updated to handle TLS 1.1+.
pki-bot
commented
4 years ago Comment from tbordaz (@tbordaz) at 2014-11-04 11:26:01
These are the tested done on F20 with latest jss and tomcatjss updates. They do not prevent (by themself) the failure during IPA install.
Those updates were suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1158410
Freeipa version: is ipa-4-0 branch (Nov 4th)
DS version: is master branch (Nov 3rd)
jss-4.2.6-35.fc20.x86_64
389-ds-base-2014_11_03-1.fc20.x86_64
tomcatjss-7.1.1-1.fc20.noarch
pki-server-10.2.0-3.fc20.noarch
freeipa-server-4.0.4GITc55f153-0.fc20.x86_64
...
[24/26]: configure RA certificate renewal
[25/26]: configure Server-Cert certificate renewal
[26/26]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
[1/3]: configuring ssl for ds instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
CA did not start in 300.0s
tail -100 /var/log/pki/pki-tomcat/ca/debug
[04/Nov/2014:03:58:24][localhost-startStop-1]: CMSEngine: ready to init id=dbs
[04/Nov/2014:03:58:24][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=false
[04/Nov/2014:03:58:24][localhost-startStop-1]: LdapBoundConnFactory: init
[04/Nov/2014:03:58:24][localhost-startStop-1]: LdapBoundConnFactory:doCloning true
[04/Nov/2014:03:58:24][localhost-startStop-1]: LdapAuthInfo: init()
[04/Nov/2014:03:58:24][localhost-startStop-1]: LdapAuthInfo: init begins
[04/Nov/2014:03:58:24][localhost-startStop-1]: LdapAuthInfo: init ends
[04/Nov/2014:03:58:24][localhost-startStop-1]: init: before makeConnection errorIfDown is true
[04/Nov/2014:03:58:24][localhost-startStop-1]: makeConnection: errorIfDown true
[04/Nov/2014:03:58:24][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca
[04/Nov/2014:03:58:24][localhost-startStop-1]: CMS:Caught EBaseException
Internal Database Error encountered: Could not connect to LDAP server host vm-043.xxx.xx.xxx port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362)
at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1585)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1267)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1192)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:670)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[04/Nov/2014:03:58:24][localhost-startStop-1]: CMSEngine.shutdown()
[04/Nov/2014:03:58:24][localhost-startStop-1]: LogFile:In log shutdown
[04/Nov/2014:03:58:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown
[04/Nov/2014:03:58:24][localhost-startStop-1]: LogFile:In log shutdown
[04/Nov/2014:03:58:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown
[04/Nov/2014:03:58:40][http-bio-8443-exec-2]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}.
Comment from cfu (@cfu) at 2014-11-24 21:59:00
I believe this is taken cared of by https://fedorahosted.org/pki/ticket/1206 TLS range support: code change needed for cs when acting as client
pki-bot
commented
4 years ago Comment from tbordaz (@tbordaz) at 2017-02-27 14:09:57
Metadata Update from @tbordaz:
This issue was migrated from Pagure Issue #1197. Originally filed by tbordaz (@tbordaz) on 2014-11-03 17:07:27:
When installing IPA 4.0.4 with last DS branch, CS fails to start with the following messages
PKI version is
This ticket is linked with IPA ticket https://fedorahosted.org/freeipa/ticket/4666