I am in a similar boat, well RHEL6.7 to RHEL7.1.  I joined a RHEL7.1 / IPA4.1 
to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was 
ca-less.  Did a full backup on the RHEL7.1 / IPA 4.1.  Blew away the ipa 
server, installed fresh, pki-tomcat runs, did a restore and pki-tomcat doesnt 

btw what does --data do?  I tried that before a full restore and no passwords 
worked ie i could not login and no users worked at all, so it seems pointless? 
or maybe rather what is it for? and when to use it?



From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on 
behalf of Alexandre Ellert <ellertalexan...@gmail.com>
Sent: Wednesday, 16 September 2015 12:09 a.m.
To: Martin Babinsky
Cc: freeipa-users@redhat.com; Alexander Bokovoy
Subject: Re: [Freeipa-users] Failed to start pki-tomcatd Service

So, here is the recap :
I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI 
was only installed on server two.
Everything was working fine, replication OK, new enrollements OK, 
authentication with Kerberos and LDAP OK.
After some time, I discover that pki tomcatd service didn't restart 
automatically after reboot on server two.

Now I want to repair things, but I can't deploy a new PKI and I can't delete 
the existing broken PKI...

Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then 
ipa-restore ?

Please advice.

2015-09-07 13:36 GMT+02:00 Alexandre Ellert 

> Le 4 sept. 2015 à 16:37, Martin Babinsky 
> <mbabi...@redhat.com<mailto:mbabi...@redhat.com>> a écrit :
> On 08/28/2015 05:46 PM, Alexandre Ellert wrote:
>>> Le 28 août 2015 à 17:41, Alexander Bokovoy 
>>> <aboko...@redhat.com<mailto:aboko...@redhat.com>> a écrit :
>>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:
>>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy 
>>>>> <aboko...@redhat.com<mailto:aboko...@redhat.com>> a écrit :
>>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:
>>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy 
>>>>>>> <aboko...@redhat.com<mailto:aboko...@redhat.com>> a écrit :
>>>>>>>> If the problem is too hard to solve, maybe I should try to deploy 
>>>>>>>> another
>>>>>>>> replica ?
>>>>>>> You may try that. Sorry for not responding, I have some other tasks that
>>>>>>> occupy my time right now.
>>>>>> Can you please tell me the procedure to decommission and re-create a new 
>>>>>> replica ?
>>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only 
>>>>>> things to do ?
>>>>> No, you need also to remove the server from the replication topology.
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
>>>>> --
>>>>> / Alexander Bokovoy
>>>> I can’t remove the node on which I have problem with pki-tomcatd :
>>>> # ipa-replica-manage del xxxx.example.com<http://xxxx.example.com>
>>>> Deleting a master is irreversible.
>>>> To reconnect to the remote master you will need to prepare a new replica 
>>>> file
>>>> and re-install.
>>>> Continue to delete? [no]: yes
>>>> Deleting this server is not allowed as it would leave your installation 
>>>> without a CA
>>>> I seem that it’s the only node where CA is installed. What should I do now 
>>>> ?
>>> Add a replica with CA using ipa-ca-install on existing replica.
>>> Read the guide, it has detailed coverage of these situations.
>>> --
>>> / Alexander Bokovoy
>> On the first node (which is working and without pki-tomcatd service)
>> # ipa-ca-install
>> Directory Manager (existing master) password:
>> CA is already installed.
>> How is it possible ?
> You must provide a replica file as an argument to ipa-ca-install if you want 
> to setup CA on another replica.
> --
> Martin^3 Babinsky

I’m still stuck with the correct command line :
[root@inf-ipa ~]# ipa-ca-install 
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@numeezy.fr<mailto:ad...@numeezy.fr> password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

Connection check OK
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
  [1/21]: creating certificate server user
  [2/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command 
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit 
status 1
  [error] RuntimeError: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to