Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/23/2014 6:35 PM, swartz wrote: On 9/22/2014 7:59 PM, Ade Lee wrote: If you scroll to the end of the CS.cfg, does it look like it has been truncated? I'd have to say no. It doesn't look truncated to me. At least there are no obvious signs. But then again I don't know everything that is suppose to be there. I know that the line starting with pkicreate.unsecure_port= isn't there, that's for sure. Hence why init script fails to start PKI-CA. Hi, Ade and I looked at the file that you sent, and I sent you an updated CS.cfg based on my system (and you indicated that it's working now). I noticed that your original file contains the following line: cloning.ocsp_signing.dn=CN=OCSP Subsys where it probably should have been something like this: cloning.ocsp_signing.dn=CN=OCSP Subsysstem,O=CS.MYDOMAIN.CA Also, it's missing the next ~400 lines which seem to have been replaced with these lines: proxy.securePort=443 proxy.unsecurePort=80 So we're suspecting that something was adding these proxy parameters directly to CS.cfg while the CA is saving configuration changes to CS.cfg too. Luckily your original CS.cfg still contains enough information to fully restore the file. I guess we need someone who's more familiar with the IPA CA upgrade process to take a look at this more closely. The CS.cfg is actually owned by the CA server, but sometimes people are advised to change the file directly, and maybe some codes are written that way too. There are some ways to avoid this kind of problems in the future: 1. Require CA to be shutdown before changing CS.cfg directly. 2. Prohibit direct access to the file and require the use of tools that send the changes to the CA server (e.g. via CLI/REST). 3. Break CS.cfg into user-owned and server-owned parameters, and move mostly-static parameters into a separate default file. 4. Replace CS.cfg with LDAP-based configuration. In the short term we might be limited to #1, but in the long term we might be able to implement the other options. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 09/24/2014 02:07 PM, swartz wrote: On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. Is there any chance to detect which package caused this truncation? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
Dmitri Pal wrote: On 09/24/2014 02:07 PM, swartz wrote: On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. Is there any chance to detect which package caused this truncation? It was almost certainly related to IPA, if not ipa-upgradeconfig directly. For any number of reasons it may write directly to CS.cfg without stopping the service first. It may also call the dogtag-provided pki-setup-proxy which also doesn't stop the service before touching CS.cfg. The upgrader will then determine if any changes were made and restart the service. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 09/24/2014 03:29 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 09/24/2014 02:07 PM, swartz wrote: On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. Is there any chance to detect which package caused this truncation? It was almost certainly related to IPA, if not ipa-upgradeconfig directly. For any number of reasons it may write directly to CS.cfg without stopping the service first. It may also call the dogtag-provided pki-setup-proxy which also doesn't stop the service before touching CS.cfg. The upgrader will then determine if any changes were made and restart the service. rob So is it a race condition? Something does not sound right. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
Dmitri Pal wrote: On 09/24/2014 03:29 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 09/24/2014 02:07 PM, swartz wrote: On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. Is there any chance to detect which package caused this truncation? It was almost certainly related to IPA, if not ipa-upgradeconfig directly. For any number of reasons it may write directly to CS.cfg without stopping the service first. It may also call the dogtag-provided pki-setup-proxy which also doesn't stop the service before touching CS.cfg. The upgrader will then determine if any changes were made and restart the service. rob So is it a race condition? Something does not sound right. What I don't understand is: if dogtag always writes CS.cfg on exit, why does this work the majority of the time? But anyway, it sounds like we need to shut down dogtag every time we touch CS.cfg which isn't a big deal but it will change the way we do some things. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On Wed, 2014-09-24 at 16:24 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/24/2014 03:29 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 09/24/2014 02:07 PM, swartz wrote: On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. Is there any chance to detect which package caused this truncation? It was almost certainly related to IPA, if not ipa-upgradeconfig directly. For any number of reasons it may write directly to CS.cfg without stopping the service first. It may also call the dogtag-provided pki-setup-proxy which also doesn't stop the service before touching CS.cfg. The upgrader will then determine if any changes were made and restart the service. rob So is it a race condition? Something does not sound right. What I don't understand is: if dogtag always writes CS.cfg on exit, why does this work the majority of the time? Dogtag does not write CS.cfg on exit (like 389). Rather, if there are changes to CS.cfg, they will be committed and the file will be changed and the in-memory version of CS.cfg will be written at that time. I think what we're seeing is two different things modifying the CS,cfg at the same time (or at least within the time frame of whatever file buffering is going on). In other cases where I've seen this, I see CS.cfg end up the size of n * file buffer. Shutting down CA before changing CS.cfg is a way of preventing access by more than one source at the same time. But anyway, it sounds like we need to shut down dogtag every time we touch CS.cfg which isn't a big deal but it will change the way we do some things. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On Wed, 2014-09-24 at 16:33 -0400, Ade Lee wrote: On Wed, 2014-09-24 at 16:24 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/24/2014 03:29 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 09/24/2014 02:07 PM, swartz wrote: On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. Is there any chance to detect which package caused this truncation? It was almost certainly related to IPA, if not ipa-upgradeconfig directly. For any number of reasons it may write directly to CS.cfg without stopping the service first. It may also call the dogtag-provided pki-setup-proxy which also doesn't stop the service before touching CS.cfg. The upgrader will then determine if any changes were made and restart the service. rob So is it a race condition? Something does not sound right. What I don't understand is: if dogtag always writes CS.cfg on exit, why does this work the majority of the time? Dogtag does not write CS.cfg on exit (like 389). Rather, if there are changes to CS.cfg, they will be committed and the file will be changed and the in-memory version of CS.cfg will be written at that time. I think what we're seeing is two different things modifying the CS,cfg at the same time (or at least within the time frame of whatever file buffering is going on). In other cases where I've seen this, I see CS.cfg end up the size of n * file buffer. Shutting down CA before changing CS.cfg is a way of preventing access by more than one source at the same time. In the long term of course, we need to provide an interface to dogtag to allow these types of changes by the dogtag server. But anyway, it sounds like we need to shut down dogtag every time we touch CS.cfg which isn't a big deal but it will change the way we do some things. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 09/23/2014 03:59 AM, Ade Lee wrote: On Mon, 2014-09-22 at 13:39 -0600, swartz wrote: On 9/22/2014 9:14 AM, Ade Lee wrote: Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? ls -l /etc/pki-ca/CS.cfg -rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg In very rare cases, I've seen cases where the CS.cfg becomes truncated during an update. Unfortunately, we have not been able to reproduce the event. In later versions of dogtag, we make sure to save the CS.cfg just in case. Your instance sounds like a truncated CS.cfg instance, but the size is a lot larger than cases I've seen before, so I don't want to jump to that conclusion yet. JFTR, FreeIPA may have been involved as well, we had a related fix in FreeIPA 4.0.2: https://fedorahosted.org/freeipa/ticket/4166 If you scroll to the end of the CS.cfg, does it look like it has been truncated? If you have backups of the CS.cfg, that will help. Also, you could look for backups that we have created: find /var/lib/pki-ca -name CS.cfg* find /var/log -name CS.cfg* Also, do you have a replica CA? Ade I know that I did NOT change the configs myself. But something certainly did during 'yum update'. There are no .rpmsave or .rpmnew files that would typically be created if configs are properly marked in RPM spec file. There are two other files that exist though: -rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21 -rw-rw. 1 pkiuser pkiuser 65955 Sep 5 2013 CS.cfg.in.p33 However, they are not usable either in place of current CS.cfg. The above files are templates only. They are modified during instance configuration. There have been no updates recently on rhel 6 to the pki packages. There has, however, been an update to tomcat - which broke dogtag startups. What version of tomcat6 is on your system? rpm -qa tomcat6 tomcat6-6.0.24-78.el6_5.noarch This tomcat version should still be a working one. The tomcat6 then broke things has not made it out yet, having been discovered in QE testing. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/22/2014 7:59 PM, Ade Lee wrote: If you scroll to the end of the CS.cfg, does it look like it has been truncated? I'd have to say no. It doesn't look truncated to me. At least there are no obvious signs. But then again I don't know everything that is suppose to be there. I know that the line starting with pkicreate.unsecure_port= isn't there, that's for sure. Hence why init script fails to start PKI-CA. If you have backups of the CS.cfg, that will help. Also, you could look for backups that we have created: Sadly there were no backups. This was a test/dev VM with no backup policy. find /var/lib/pki-ca -name CS.cfg* find /var/log -name CS.cfg* I've replied to you directly with all CS.cfg* files I could find. Most appear to be templates and not backups as per your message. Also, do you have a replica CA? Yes and no. The master was originally configured with a replica but the test replica VM was not used after that and was shutdown and removed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/22/2014 7:59 PM, Ade Lee wrote: If you scroll to the end of the CS.cfg, does it look like it has been truncated? I'd have to say no. It doesn't look truncated to me. At least there are no obvious signs. But then again I don't know everything that is suppose to be there. I know that the line starting with pkicreate.unsecure_port= isn't there, that's for sure. Hence why init script fails to start PKI-CA. If you have backups of the CS.cfg, that will help. Also, you could look for backups that we have created: Sadly there were no backups. This was a test/dev VM with no backup policy. find /var/lib/pki-ca -name CS.cfg* find /var/log -name CS.cfg* I've replied to you directly with all CS.cfg* files I could find. Most appear to be templates and not backups as per your message. Also, do you have a replica CA? Yes and no. The master was originally configured with a replica but the test replica VM was not used after that and was shutdown and removed. PS. I replied to the wrong email. Ooops, sorry. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 09/20/2014 01:02 AM, swartz wrote:
Hello,
Encountered same issue as described here:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
Plain vanilla IPA setup. No changes, no customizations.
Recently IPA fails to start. Error happened right after a 'yum update' and
reboot.
---
Starting pki-ca: [ OK ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
...
Failed to start CA Service
Shutting down
Digging into the matter further...
The line that causes the error above is in /usr/share/pki/scripts/functions
(which is loaded by pki-ca init script):
netstat -antl | grep ${port} /dev/null
The $port variable is blank so call to grep is without a search parameter.
Hence invalid call to grep and subsequent error msg I'm seeing as above.
$port is defined just a few lines above as
port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} |
cut
-b25- -`
BUT! For whatever reason there is no line that starts with
pkicreate.unsecure_port in $pki_instance_configuration_file
(/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use in
grep.
Why there is no such line in config file where one is expected is unknown to
me...
Versions currently installed
ipa-server-3.0.0-37.el6.x86_64
pki-ca-9.0.3-32.el6.noarch
Did updates to pki packages clobber the configs? What got broken? How do I
resolve it?
Thank you.
Also please see another PKI crash on EL6 reported on freeipa-users:
https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html
This is not the first time this issue was reported, but we got no response from
PKI team, even though I CCed several members (maybe that was actually the root
case).
The PKI installation errors are piling up (7.1 too), I would like to resolve
that very soon so that we are not seen as too unstable software.
Thanks for help,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On Mon, 2014-09-22 at 10:50 +0200, Martin Kosek wrote:
On 09/20/2014 01:02 AM, swartz wrote:
Hello,
Encountered same issue as described here:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
Plain vanilla IPA setup. No changes, no customizations.
Recently IPA fails to start. Error happened right after a 'yum update' and
reboot.
---
Starting pki-ca: [ OK ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
...
Failed to start CA Service
Shutting down
Digging into the matter further...
The line that causes the error above is in /usr/share/pki/scripts/functions
(which is loaded by pki-ca init script):
netstat -antl | grep ${port} /dev/null
The $port variable is blank so call to grep is without a search parameter.
Hence invalid call to grep and subsequent error msg I'm seeing as above.
$port is defined just a few lines above as
port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} |
cut
-b25- -`
BUT! For whatever reason there is no line that starts with
pkicreate.unsecure_port in $pki_instance_configuration_file
(/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use
in grep.
Why there is no such line in config file where one is expected is unknown
to me...
Versions currently installed
ipa-server-3.0.0-37.el6.x86_64
pki-ca-9.0.3-32.el6.noarch
Did updates to pki packages clobber the configs? What got broken? How do I
resolve it?
There have been no updates recently on rhel 6 to the pki packages.
There has, however, been an update to tomcat - which broke dogtag
startups.
What version of tomcat6 is on your system?
Thank you.
Also please see another PKI crash on EL6 reported on freeipa-users:
https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html
This is not the first time this issue was reported, but we got no response
from
PKI team, even though I CCed several members (maybe that was actually the root
case).
The PKI installation errors are piling up (7.1 too), I would like to resolve
that very soon so that we are not seen as too unstable software.
The issues on 7.1 are tomcat related too. Builds were completed last
week to address these.
Thanks for help,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On Mon, 2014-09-22 at 10:43 -0400, Ade Lee wrote:
On Mon, 2014-09-22 at 10:50 +0200, Martin Kosek wrote:
On 09/20/2014 01:02 AM, swartz wrote:
Hello,
Encountered same issue as described here:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
Plain vanilla IPA setup. No changes, no customizations.
Recently IPA fails to start. Error happened right after a 'yum update'
and reboot.
---
Starting pki-ca: [ OK ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
...
Failed to start CA Service
Shutting down
Digging into the matter further...
The line that causes the error above is in
/usr/share/pki/scripts/functions
(which is loaded by pki-ca init script):
netstat -antl | grep ${port} /dev/null
The $port variable is blank so call to grep is without a search parameter.
Hence invalid call to grep and subsequent error msg I'm seeing as above.
$port is defined just a few lines above as
port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file}
| cut
-b25- -`
BUT! For whatever reason there is no line that starts with
pkicreate.unsecure_port in $pki_instance_configuration_file
(/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use
in grep.
Why there is no such line in config file where one is expected is unknown
to me...
Versions currently installed
ipa-server-3.0.0-37.el6.x86_64
pki-ca-9.0.3-32.el6.noarch
Did updates to pki packages clobber the configs? What got broken? How do I
resolve it?
Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ?
There have been no updates recently on rhel 6 to the pki packages.
There has, however, been an update to tomcat - which broke dogtag
startups.
What version of tomcat6 is on your system?
Thank you.
Also please see another PKI crash on EL6 reported on freeipa-users:
https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html
This is not the first time this issue was reported, but we got no response
from
PKI team, even though I CCed several members (maybe that was actually the
root
case).
The PKI installation errors are piling up (7.1 too), I would like to resolve
that very soon so that we are not seen as too unstable software.
The issues on 7.1 are tomcat related too. Builds were completed last
week to address these.
Thanks for help,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/22/2014 9:14 AM, Ade Lee wrote: Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? ls -l /etc/pki-ca/CS.cfg -rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg I know that I did NOT change the configs myself. But something certainly did during 'yum update'. There are no .rpmsave or .rpmnew files that would typically be created if configs are properly marked in RPM spec file. There are two other files that exist though: -rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21 -rw-rw. 1 pkiuser pkiuser 65955 Sep 5 2013 CS.cfg.in.p33 However, they are not usable either in place of current CS.cfg. There have been no updates recently on rhel 6 to the pki packages. There has, however, been an update to tomcat - which broke dogtag startups. What version of tomcat6 is on your system? rpm -qa tomcat6 tomcat6-6.0.24-78.el6_5.noarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On Mon, 2014-09-22 at 13:39 -0600, swartz wrote: On 9/22/2014 9:14 AM, Ade Lee wrote: Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? ls -l /etc/pki-ca/CS.cfg -rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg In very rare cases, I've seen cases where the CS.cfg becomes truncated during an update. Unfortunately, we have not been able to reproduce the event. In later versions of dogtag, we make sure to save the CS.cfg just in case. Your instance sounds like a truncated CS.cfg instance, but the size is a lot larger than cases I've seen before, so I don't want to jump to that conclusion yet. If you scroll to the end of the CS.cfg, does it look like it has been truncated? If you have backups of the CS.cfg, that will help. Also, you could look for backups that we have created: find /var/lib/pki-ca -name CS.cfg* find /var/log -name CS.cfg* Also, do you have a replica CA? Ade I know that I did NOT change the configs myself. But something certainly did during 'yum update'. There are no .rpmsave or .rpmnew files that would typically be created if configs are properly marked in RPM spec file. There are two other files that exist though: -rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21 -rw-rw. 1 pkiuser pkiuser 65955 Sep 5 2013 CS.cfg.in.p33 However, they are not usable either in place of current CS.cfg. The above files are templates only. They are modified during instance configuration. There have been no updates recently on rhel 6 to the pki packages. There has, however, been an update to tomcat - which broke dogtag startups. What version of tomcat6 is on your system? rpm -qa tomcat6 tomcat6-6.0.24-78.el6_5.noarch This tomcat version should still be a working one. The tomcat6 then broke things has not made it out yet, having been discovered in QE testing. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
