Re: [Freeipa-users] Unable to add CA on an already configured replica
pgb205 wrote: Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but *NOT *ipa-srv2. The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg replication file on ipa-srv2 (to be used to establish replication agreement to ipa-srv3) as I get an error message: /Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)/ From what I've found gpg can only be created on replica with CA installed. to install CA I tried the following command /ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/ This errors out at / [8/21]: starting certificate server instance/ /ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details./ / [9/21]: importing CA chain to RA certificate database/ / [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500/ / systemctl status pki-tomcatd@pki-tomcat.service / shows the pki service is running, surprisingly. but it's still not listed in ipactl status output further attempts to install are halted with error : CA is already installed on this system and I have to manually delete everything with: pkidestroy -s CA -i pki-tomcat 1003 rm -rf /var/log/pki/pki-tomcat 1004 rm -rf /etc/sysconfig/pki-tomcat 1005 rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat 1006 rm -rf /var/lib/pki/pki-tomcat 1007 rm -rf /etc/pki/pki-tomcat in error logs the one message that stands out is: 500 internal server error. which repeats multiple times at the end of log file. Which log file? You probably want to look at the CA debug log. I'm assuming the error is originating in dogtag. Please suggest on what can be done in this situation. PS: regarding pkidestroy and pkiremove commands. What is the difference or does pkidestroy superceeds pkiremove. Alexander B suggests pkiremove in one of his older posts and 'yum whatprovides pkiremove' also suggests that it should be available. Right, pkidestroy replaced pkiremove. There is no uninstaller for the CA currently. I had started one long ago and never finished it. Feel free to open an RFE on it. Note that it is trickier than just removing files. Depending on where it blows up you may need to remove replication agreements too (and entries from cn=masters). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to add CA on an already configured replica
On 22.07.2016 20:17, pgb205 wrote: Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but *NOT *ipa-srv2. The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg replication file on ipa-srv2 (to be used to establish replication agreement to ipa-srv3) as I get an error message: /Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)/ From what I've found gpg can only be created on replica with CA installed. to install CA I tried the following command /ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/ This errors out at / [8/21]: starting certificate server instance/ /ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details./ / [9/21]: importing CA chain to RA certificate database/ / [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500/ /Hello, can you please check /var/log/pki/pki-tomcat/ca/debug for more specific errors? Regards, Martin / / systemctl status pki-tomcatd@pki-tomcat.service / shows the pki service is running, surprisingly. but it's still not listed in ipactl status output further attempts to install are halted with error : CA is already installed on this system and I have to manually delete everything with: pkidestroy -s CA -i pki-tomcat 1003 rm -rf /var/log/pki/pki-tomcat 1004 rm -rf /etc/sysconfig/pki-tomcat 1005 rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat 1006 rm -rf /var/lib/pki/pki-tomcat 1007 rm -rf /etc/pki/pki-tomcat in error logs the one message that stands out is: 500 internal server error. which repeats multiple times at the end of log file. Please suggest on what can be done in this situation. PS: regarding pkidestroy and pkiremove commands. What is the difference or does pkidestroy superceeds pkiremove. Alexander B suggests pkiremove in one of his older posts and 'yum whatprovides pkiremove' also suggests that it should be available. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
