What version is the Dogtag instance on that server? (rpm -q pki-ca) 

We have seen cases when the CS.cfg has zero length - and have modified
code to:
1) not write to CS.cfg on startup
2) backup the CS.cfg on upgrades.

Under normal operations, unless you are configuring the Dogtag instance
- which would not be happening during normal IPA operations, the CS.cfg
should not be written to.

Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca
(assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ?


On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote:
> Martin,
> The only other systems I have running IPA are on another network. I 
> could take their CS.cfg file and try to modify it to fit what this one 
> should have had, but that's my only option.
> On the up side, this is a relatively small network, and reinstating the 
> users and hosts won't be an enormous task. Big, but not enormous. And I 
> should have had a backup, especially knowing there was a scheduled power 
> outage coming up. Because those are always problem-free....  ;-)
> Bret
> On 01/27/2014 04:14 AM, Martin Kosek wrote:
> > On 01/27/2014 01:51 AM, Bret Wortman wrote:
> >> We had to reboot the IPA server on a standalone network recently, and this 
> >> IPA server is the only one on that network; there are no replicas. Upon 
> >> restarting, the IPA software refused to start because, after a couple 
> >> hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length.
> >>
> >> How can I most easily restore this file given that I doubt we have a 
> >> backup (our bad)? Is there a way to basically reinstall the server without 
> >> losing the data in the database? Our users and host definitions, anyway?
> >>
> >> Thanks!
> >>
> >>
> >> Bret
> > Hello Bret,
> >
> > Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg
> > while the IPA server restarted. What version of IPA and PKI are we talking 
> > about?
> >
> > Do you have any other PKI server with CA you can use as a source of the 
> > CS.cfg
> > file or as a replica to reinstall the IPA server with CA from (in the worst 
> > case)?
> >
> > I am adding PKI developers to the CC to advise.
> >
> > Martin

Freeipa-users mailing list

Reply via email to