On Thu, 02 Oct 2014, Endi Sukma Dewata wrote:
On 10/1/2014 12:46 PM, Alexander Bokovoy wrote:
On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network
Support) wrote:


I have tried to deinstall and reinstall the ipa server but the
installation is now failing.


The ipa-server-install is failing with the following:

[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit
status 1
Configuration of CA failed

This happens each time I try to uninstall and reinstall the ipa server
on RHEL V7.


Looking at the latest log in /var/log/pki, I see this at the end of
the log:

2014-10-01 11:53:10 pkispawn    : INFO     BEGIN spawning subsystem
'CA' of instance 'pki-tomcat' . . .
2014-10-01 11:53:10 pkispawn    : INFO     ... initializing
'pki.deployment.initialization'
2014-10-01 11:53:10 pkispawn    : ERROR    ....... PKI subsystem 'CA'
for instance 'pki-tomcat' already exists!
2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Type: SystemExit
2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Message: 1
2014-10-01 11:53:10 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 374, in main
  rv = instance.spawn()
File
"/usr/lib/python2.7/site-packages/pki/deployment/initialization.py",
line 56, in spawn
  util.instance.verify_subsystem_does_not_exist()
File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
line 990, in verify_subsystem_does_not_exist
  sys.exit(1)

I am no python expert by any means and I'm not sure what this is
telling us so any help
would be greatly appreciated.

This issue is known -- when CA install fails, we rollback but since CA
isn't installed, we miss rolling it back. There is a ticket for
eventually fixing this issue.

Which ticket is this? The rollback was actually disabled to allow troubleshooting the failed installation:
https://fedorahosted.org/freeipa/ticket/3990
I think this ticket is unrelated -- its solution only affects
ipa-client-install --on-master, not what ipa-server-install does when it
rolls back configuration for dirsrv and other servers.

I can't find the exact ticket though.

Following sequence should clean up all the bits:

pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat

It's not official, but we call this step pki-nuke.

It also helps to reboot between multiple reinstalls on a single machine.

Rather than rolling back the installation automatically (and delete all files needed to troubleshoot the problem), it would be better to provide an option to the uninstall command to forcibly remove all installed files regardless whether the installation was successful or not, just like the pki-nuke above.
We simply have no information about the fact what pkicreate did before
it failed. --
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to