What version is the Dogtag instance on that server? (rpm -q pki-ca)
We have seen cases when the CS.cfg has zero length - and have modified
1) not write to CS.cfg on startup
2) backup the CS.cfg on upgrades.
Under normal operations, unless you are configuring the Dogtag instance
- which would not be happening during normal IPA operations, the CS.cfg
should not be written to.
Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca
(assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ?
On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote:
> The only other systems I have running IPA are on another network. I
> could take their CS.cfg file and try to modify it to fit what this one
> should have had, but that's my only option.
> On the up side, this is a relatively small network, and reinstating the
> users and hosts won't be an enormous task. Big, but not enormous. And I
> should have had a backup, especially knowing there was a scheduled power
> outage coming up. Because those are always problem-free.... ;-)
> On 01/27/2014 04:14 AM, Martin Kosek wrote:
> > On 01/27/2014 01:51 AM, Bret Wortman wrote:
> >> We had to reboot the IPA server on a standalone network recently, and this
> >> IPA server is the only one on that network; there are no replicas. Upon
> >> restarting, the IPA software refused to start because, after a couple
> >> hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length.
> >> How can I most easily restore this file given that I doubt we have a
> >> backup (our bad)? Is there a way to basically reinstall the server without
> >> losing the data in the database? Our users and host definitions, anyway?
> >> Thanks!
> >> Bret
> > Hello Bret,
> > Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg
> > while the IPA server restarted. What version of IPA and PKI are we talking
> > about?
> > Do you have any other PKI server with CA you can use as a source of the
> > CS.cfg
> > file or as a replica to reinstall the IPA server with CA from (in the worst
> > case)?
> > I am adding PKI developers to the CC to advise.
> > Martin
Freeipa-users mailing list