On (16/07/15 09:56), Alexandre Ellert wrote: > >> Le 16 juil. 2015 à 09:29, Lukas Slebodnik <[email protected]> a écrit : >> >> I had a similar issue on fedora 21 or fedora 22. >> The workarounds from freeipa ticket #4666 did not help for me either. >> I found out that there was some problem with upgrading dogtag configuration. >> >> You can try up ru upgrade manually. It might help you. >> [root@vm-114 ~]# rpm -q --scripts pki-server >> postinstall scriptlet (using /bin/sh): >> ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem >> ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new >> ## PKI deployment process >> >> echo "Upgrading server at `/bin/date`." >> >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 >> /sbin/pki-server-upgrade --silent >> >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 >> echo >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 >> >> systemctl daemon-reload >> >> >> In my case, it didn't help. So I updated freeipa to the latest version. >> then I install similar new freeipa on another machine. So I had functional >> dogtag. Then I tried to fix broken dogtag configuration using functional >> configuration from 2nd freeipa. I would definitely recommend to backup data >> from old freeipa before any manual updates. >> >> Maybe Fraser would have a better advice. >> >> LS > >I tried the suggested solution with pki-server-upgrade script but it didn’t >fix, the output was : ># cat /var/log/pki/pki-server-upgrade-10.1.2.log >Upgrading from version 10.1.2 to 10.1.2: >1. Add TLS Range Support > >Upgrade complete. > >I will try the second solution and install a fresh new IPA server to compare >dogtag configuration. >Do you know what files/directory I should check ? > I filtered my bash history and here is an output. I hope the history contains all files. Please do not forget to backup all data.
[root@vm-114 ~]# history | grep vimdiff 272 vimdiff pki/pki-tomcat/pki.policy /etc/pki/pki-tomcat/pki.policy 275 vimdiff pki/pki-tomcat/context.xml /etc/pki/pki-tomcat/context.xml 277 vimdiff pki/pki-tomcat/tomcat-users.xml pki/pki-tomcat/tomcat-users.xml 278 vimdiff pki/pki-tomcat/tomcat-users.xml /etc/pki/pki-tomcat/tomcat-users.xml 280 vimdiff pki/pki-tomcat/log4j.properties /etc/pki/pki-tomcat/log4j.properties 288 vimdiff pki/pki-tomcat/password.conf /etc/pki/pki-tomcat/password.conf 290 vimdiff pki/pki-tomcat/password.conf /etc/pki/pki-tomcat/password.conf 293 vimdiff pki/pki-tomcat/tomcat.conf /etc/pki/pki-tomcat/tomcat.conf 299 vimdiff pki/pki-tomcat/server.xml /etc/pki/pki-tomcat/server.xml 302 vimdiff pki/pki-tomcat/Catalina/localhost/ca.xml /etc/pki/pki-tomcat/Catalina/localhost/ca.xml 304 vimdiff pki/pki-tomcat/ca/vlvtasks.ldif /etc/pki/pki-tomcat/ca/vlvtasks.ldif 306 vimdiff pki/pki-tomcat/ca/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile 307 vimdiff pki/pki-tomcat/ca/acl.ldif /etc/pki/pki-tomcat/ca/acl.ldif 309 vimdiff pki/pki-tomcat/ca/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile 312 vimdiff pki/pki-tomcat/ca/database.ldif /etc/pki/pki-tomcat/ca/database.ldif 314 vimdiff pki/pki-tomcat/ca/db.ldif /etc/pki/pki-tomcat/ca/db.ldif 316 vimdiff pki/pki-tomcat/ca/index.ldif /etc/pki/pki-tomcat/ca/index.ldif 318 vimdiff pki/pki-tomcat/ca/manager.ldif /etc/pki/pki-tomcat/ca/manager.ldif 320 vimdiff pki/pki-tomcat/ca/proxy.conf /etc/pki/pki-tomcat/ca/proxy.conf 322 vimdiff pki/pki-tomcat/ca/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg 325 vimdiff pki/pki-tomcat/ca/schema.ldif /etc/pki/pki-tomcat/ca/schema.ldif 613 vimdiff pki/java/cacerts /etc/pki/java/cacerts 623 vimdiff pki/default.cfg /etc/pki/default.cfg 626 vimdiff pki/pki.version /etc/pki/pki.version 632 vimdiff pki/pki-tomcat/logging.properties /etc/pki/pki-tomcat/logging.properties 635 vimdiff pki/pki-tomcat/catalina.policy /etc/pki/pki-tomcat/catalina.policy 638 vimdiff pki/pki-tomcat/web.xml /etc/pki/pki-tomcat/web.xml 654 vimdiff pki/pki-tomcat/ca/CS.cfg /etc/pki/pki-tomcat/ca/CS.cfg 666 vimdiff pki/ca-trust/ca-legacy.conf /etc/pki/ca-trust/ca-legacy.conf 677 vimdiff pki/nssdb/pkcs11.txt /etc/pki/nssdb/pkcs11.txt 684 vimdiff pki/default.cfg /etc/pki/default.cfg 707 vimdiff pki/tls/openssl.cnf etc/pki/tls/openssl.cnf 708 vimdiff pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf 871 vimdiff slapd-IDM-EXAMPLE-COM/dse.ldif /etc/dirsrv/slapd-IDM-EXAMPLE-COM/dse.ldif 1005 vimdiff pki/pki-tomcat/ca/schema.ldif /etc/pki/pki-tomcat/ca/schema.ldif It is also possible that some certificates might be expired because dogtag was not functional for soem time. So please take a look into wiki: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
