On 2/26/2015 8:02 AM, Les Stott wrote:
rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger
/etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid
/usr/share/pki /etc/ipa /var/log/ipa* reboot
Now you have a clean slate.
Do you know which step of the steps above actually helped you resolve the
The reboot I think was key to the whole process, but pki remnants seemed left
behind too which caused grief. Previously I had never rebooted the system in
/etc/ipa/ca.crt was also left behind. It caused an issue during one reinstall
as it never got updated and the install bombed out because it found a
mismatched cert. This led me to deleting all possible ipa/pki directories and
then removing/reinstalling rpms to restore to default state.
I noticed that in some cases (I went through this same process on 6 servers to reinstall
and setup CA replicas) I could still see a left over process running as the pkiuser
(tomcat/java) which stopped the "userdel pkiuser" command from completing. I
had to kill that process and then userdel pkiuser worked.
Some of the above files/folders should have been removed automatically
when the Dogtag instance/package is removed. There's already a ticket to
improve this on Dogtag 10:
I created a new ticket for Dogtag 9:
Endi S. Dewata
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project