Hi,
I am in a similar boat, well RHEL6.7 to RHEL7.1. I joined a RHEL7.1 / IPA4.1 to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was ca-less. Did a full backup on the RHEL7.1 / IPA 4.1. Blew away the ipa server, installed fresh, pki-tomcat runs, did a restore and pki-tomcat doesnt run. btw what does --data do? I tried that before a full restore and no passwords worked ie i could not login and no users worked at all, so it seems pointless? or maybe rather what is it for? and when to use it? regards Steven ________________________________ From: [email protected] <[email protected]> on behalf of Alexandre Ellert <[email protected]> Sent: Wednesday, 16 September 2015 12:09 a.m. To: Martin Babinsky Cc: [email protected]; Alexander Bokovoy Subject: Re: [Freeipa-users] Failed to start pki-tomcatd Service So, here is the recap : I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two. Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK. After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two. Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI... Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ? Please advice. 2015-09-07 13:36 GMT+02:00 Alexandre Ellert <[email protected]<mailto:[email protected]>>: > Le 4 sept. 2015 à 16:37, Martin Babinsky > <[email protected]<mailto:[email protected]>> a écrit : > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: >> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy >>> <[email protected]<mailto:[email protected]>> a écrit : >>> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>>> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy >>>>> <[email protected]<mailto:[email protected]>> a écrit : >>>>> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy >>>>>>> <[email protected]<mailto:[email protected]>> a écrit : >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy >>>>>>>> another >>>>>>>> replica ? >>>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>>> occupy my time right now. >>>>>>> >>>>>> >>>>>> >>>>>> Can you please tell me the procedure to decommission and re-create a new >>>>>> replica ? >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only >>>>>> things to do ? >>>>> No, you need also to remove the server from the replication topology. >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>> I can’t remove the node on which I have problem with pki-tomcatd : >>>> >>>> # ipa-replica-manage del xxxx.example.com<http://xxxx.example.com> >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica >>>> file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server is not allowed as it would leave your installation >>>> without a CA >>>> >>>> I seem that it’s the only node where CA is installed. What should I do now >>>> ? >>> Add a replica with CA using ipa-ca-install on existing replica. >>> >>> Read the guide, it has detailed coverage of these situations. >>> -- >>> / Alexander Bokovoy >> >> On the first node (which is working and without pki-tomcatd service) >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> CA is already installed. >> >> How is it possible ? >> >> > You must provide a replica file as an argument to ipa-ca-install if you want > to setup CA on another replica. > > -- > Martin^3 Babinsky I’m still stuck with the correct command line : [root@inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'inf-ipa-2.numeezy.fr<http://inf-ipa-2.numeezy.fr>': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master [email protected]<mailto:[email protected]> password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'inf-ipa.numeezy.fr<http://inf-ipa.numeezy.fr>': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
