I think this keeps coming back to the fact that ldap isn't listening on
7389 for some reason. When I try to *really* manually start pki-ca like
this, it complains about ldap before dying:
# sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath
Could not connect to LDAP server host oldmaster.my.com port 7389 Error
netscape.ldap.LDAPException: failed to connect to server ldap://
This bears out what I see in /var/log/pki-ca/catalina.out too.
On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman
> On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce <s...@redhat.com> wrote:
>> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
>> > Digging further into my logs this morning, I've discovered that
>> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
>> > either. How can I tell why this isn't
>> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
>> > to, it's just the PKI piece that seems to be dead.
>> > Nothing in /etc/pki-ca has changed since last year, and the last
>> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
>> > Feb 5. I just can't tell what that change was....
>> What error do you get if you try to start it ?
> [root@oldmaster]# pkicontrol start ca PKI-IPA
> PKI-IPA is an invalid 'pki-ca' instance
> Is there another, preferred way to start it?
>> > Would a key change or certificate change have affected this?
>> An expired CA cert might cause the server to stop, but then you would
>> see expired certs all over and also the main IPA instance would not
>> > Worst case, if I do something like this:
>> > # ipa-server-install -U --uninstall
>> > # ipa-server-install
>> You will completely obliterate all your data.
>> > will I lose the hosts, policies & users I already have configured?
>> > Does this stand a chance of getting me back up to where I can clone
>> > this box and get healthy again?
>> Healthy will be, but with no data, don't do it. (and I suggest you make
>> a full backup just in case)
>> Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list