On 22.07.2016 20:17, pgb205 wrote:
Current topology:

ipa-srv1 already has CA installed but *NOT *ipa-srv2.

The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become

however I am unable to create gpg replication file on ipa-srv2 (to be used to establish replication agreement to ipa-srv3) as I get an error message: /Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)/ From what I've found gpg can only be created on replica with CA installed.

to install CA I tried the following command
/ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/
This errors out at
/  [8/21]: starting certificate server instance/
/ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details./
/  [9/21]: importing CA chain to RA certificate database/
/ [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500/

can you please check /var/log/pki/pki-tomcat/ca/debug for more specific errors?


systemctl status pki-tomcatd@pki-tomcat.service
shows the pki service is running, surprisingly.

but it's still not listed in ipactl status output

further attempts to install are halted with error : CA is already installed on this system and I have to manually delete everything with:
pkidestroy -s CA -i pki-tomcat
 1003  rm -rf /var/log/pki/pki-tomcat
 1004  rm -rf /etc/sysconfig/pki-tomcat
 1005  rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
 1006  rm -rf /var/lib/pki/pki-tomcat
 1007  rm -rf /etc/pki/pki-tomcat

in error logs the one message that stands out is:
500 internal server error. which repeats multiple times at the end of log file.

Please suggest on what can be done in this situation.

PS: regarding pkidestroy and pkiremove commands. What is the difference or does pkidestroy superceeds pkiremove. Alexander B suggests pkiremove in one of his older posts and 'yum whatprovides pkiremove' also suggests that it should be available.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to