ipa-srv1 already has CA installed but *NOT *ipa-srv2.
The reason I would like to add CA on ipa-srv2 is because I want the
setup to ultimately become
however I am unable to create gpg replication file on ipa-srv2 (to be
used to establish replication agreement to ipa-srv3)
as I get an error message: /Certificate operation cannot be completed:
Unable to communicate with CMS (Internal Server Error)/
From what I've found gpg can only be created on replica with CA installed.
to install CA I tried the following command
/ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/
This errors out at
/ [8/21]: starting certificate server instance/
/ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
the Dogtag instance.See the installation log for details./
/ [9/21]: importing CA chain to RA certificate database/
/ [error] RuntimeError: Unable to retrieve CA chain: request failed
with HTTP status 500/
systemctl status firstname.lastname@example.org
shows the pki service is running, surprisingly.
but it's still not listed in ipactl status output
further attempts to install are halted with error : CA is already
installed on this system and I have to manually delete everything with:
pkidestroy -s CA -i pki-tomcat
1003 rm -rf /var/log/pki/pki-tomcat
1004 rm -rf /etc/sysconfig/pki-tomcat
1005 rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
1006 rm -rf /var/lib/pki/pki-tomcat
1007 rm -rf /etc/pki/pki-tomcat
in error logs the one message that stands out is:
500 internal server error. which repeats multiple times at the end of
Which log file? You probably want to look at the CA debug log. I'm
assuming the error is originating in dogtag.
Please suggest on what can be done in this situation.
PS: regarding pkidestroy and pkiremove commands. What is the difference
or does pkidestroy superceeds pkiremove.
Alexander B suggests pkiremove in one of his older posts and 'yum
whatprovides pkiremove' also suggests that it should be available.
Right, pkidestroy replaced pkiremove.
There is no uninstaller for the CA currently. I had started one long ago
and never finished it. Feel free to open an RFE on it.
Note that it is trickier than just removing files. Depending on where it
blows up you may need to remove replication agreements too (and entries
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project