pgb205 wrote:
Current topology:

ipa-srv1 already has CA installed but *NOT *ipa-srv2.

The reason I would like to add CA on ipa-srv2 is because I want the
setup to ultimately become

however I am unable to create gpg replication file on ipa-srv2 (to be
used to establish replication agreement to ipa-srv3)
as I get an error message: /Certificate operation cannot be completed:
Unable to communicate with CMS (Internal Server Error)/
 From what I've found gpg can only be created on replica with CA installed.

to install CA I tried the following command
/ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/
This errors out at
/  [8/21]: starting certificate server instance/
/ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
the Dogtag instance.See the installation log for details./
/  [9/21]: importing CA chain to RA certificate database/
/  [error] RuntimeError: Unable to retrieve CA chain: request failed
with HTTP status 500/
systemctl status pki-tomcatd@pki-tomcat.service
shows the pki service is running, surprisingly.

but it's still not listed in ipactl status output

further attempts to install are halted with error : CA is already
installed on this system and I have to manually delete everything with:
pkidestroy -s CA -i pki-tomcat
  1003  rm -rf /var/log/pki/pki-tomcat
  1004  rm -rf /etc/sysconfig/pki-tomcat
  1005  rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
  1006  rm -rf /var/lib/pki/pki-tomcat
  1007  rm -rf /etc/pki/pki-tomcat

in error logs the one message that stands out is:
500 internal server error. which repeats multiple times at the end of
log file.

Which log file? You probably want to look at the CA debug log. I'm assuming the error is originating in dogtag.

Please suggest on what can be done in this situation.

PS: regarding pkidestroy and pkiremove commands. What is the difference
or does pkidestroy superceeds pkiremove.
Alexander B suggests pkiremove in one of his older posts and 'yum
whatprovides pkiremove' also suggests that it should be available.

Right, pkidestroy replaced pkiremove.

There is no uninstaller for the CA currently. I had started one long ago and never finished it. Feel free to open an RFE on it.

Note that it is trickier than just removing files. Depending on where it blows up you may need to remove replication agreements too (and entries from cn=masters).


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to