I think this keeps coming back to the fact that ldap isn't listening on 7389 for some reason. When I try to *really* manually start pki-ca like this, it complains about ldap before dying:
# sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start : : Could not connect to LDAP server host oldmaster.my.com port 7389 Error netscape.ldap.LDAPException: failed to connect to server ldap:// oldmaster.my.com:7389 (91) [root@oldmaster]# This bears out what I see in /var/log/pki-ca/catalina.out too. * * *Bret Wortman* <http://damascusgrp.com/> http://damascusgrp.com/ <http://bretwortman.com/> http://twitter.com/BretWortman On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman <[email protected]>wrote: > On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce <[email protected]> wrote: > >> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote: >> > Digging further into my logs this morning, I've discovered that >> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 >> > either. How can I tell why this isn't >> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged >> > to, it's just the PKI piece that seems to be dead. >> > >> > >> > Nothing in /etc/pki-ca has changed since last year, and the last >> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on >> > Feb 5. I just can't tell what that change was.... >> >> What error do you get if you try to start it ? >> > > [root@oldmaster]# pkicontrol start ca PKI-IPA > PKI-IPA is an invalid 'pki-ca' instance > [root@oldmaster]# > > Is there another, preferred way to start it? > > > >> > >> > Would a key change or certificate change have affected this? >> >> An expired CA cert might cause the server to stop, but then you would >> see expired certs all over and also the main IPA instance would not >> start. >> > >> > Worst case, if I do something like this: >> > >> > >> > # ipa-server-install -U --uninstall >> > # ipa-server-install >> > >> You will completely obliterate all your data. >> >> > will I lose the hosts, policies & users I already have configured? >> > Does this stand a chance of getting me back up to where I can clone >> > this box and get healthy again? >> > >> Healthy will be, but with no data, don't do it. (and I suggest you make >> a full backup just in case) >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
