The steps recommended by Alexander did work for me, but should it happen again, is there anything that can be gathered/submitted to help debug this ?
Al -----Original Message----- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, October 03, 2014 12:30 AM To: Endi Sukma Dewata Cc: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support); freeipa-users@redhat.com Subject: Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7 On Thu, 02 Oct 2014, Endi Sukma Dewata wrote: >On 10/1/2014 12:46 PM, Alexander Bokovoy wrote: >>On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network >>Support) wrote: > >>>I have tried to deinstall and reinstall the ipa server but the >>>installation is now failing. >>> >>> >>>The ipa-server-install is failing with the following: >>> >>> [37/38]: tuning directory server >>> [38/38]: configuring directory to start on boot Done configuring >>>directory server (dirsrv). >>>Configuring certificate server (pki-tomcatd): Estimated time 3 >>>minutes >>>30 seconds >>> [1/22]: creating certificate server user >>> [2/22]: configuring certificate server instance >>>ipa : CRITICAL failed to configure ca instance Command >>>'/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit >>>status 1 Configuration of CA failed >>> >>>This happens each time I try to uninstall and reinstall the ipa >>>server on RHEL V7. >>> >>> >>>Looking at the latest log in /var/log/pki, I see this at the end of >>>the log: >>> >>>2014-10-01 11:53:10 pkispawn : INFO BEGIN spawning subsystem >>>'CA' of instance 'pki-tomcat' . . . >>>2014-10-01 11:53:10 pkispawn : INFO ... initializing >>>'pki.deployment.initialization' >>>2014-10-01 11:53:10 pkispawn : ERROR ....... PKI subsystem 'CA' >>>for instance 'pki-tomcat' already exists! >>>2014-10-01 11:53:10 pkispawn : DEBUG ....... Error Type: SystemExit >>>2014-10-01 11:53:10 pkispawn : DEBUG ....... Error Message: 1 >>>2014-10-01 11:53:10 pkispawn : DEBUG ....... File >>>"/usr/sbin/pkispawn", line 374, in main >>> rv = instance.spawn() >>> File >>>"/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", >>>line 56, in spawn >>> util.instance.verify_subsystem_does_not_exist() >>> File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", >>>line 990, in verify_subsystem_does_not_exist >>> sys.exit(1) >>> >>>I am no python expert by any means and I'm not sure what this is >>>telling us so any help would be greatly appreciated. > >>This issue is known -- when CA install fails, we rollback but since CA >>isn't installed, we miss rolling it back. There is a ticket for >>eventually fixing this issue. > >Which ticket is this? The rollback was actually disabled to allow >troubleshooting the failed installation: >https://fedorahosted.org/freeipa/ticket/3990 I think this ticket is unrelated -- its solution only affects ipa-client-install --on-master, not what ipa-server-install does when it rolls back configuration for dirsrv and other servers. I can't find the exact ticket though. >>Following sequence should clean up all the bits: >> >>pkidestroy -s CA -i pki-tomcat >>rm -rf /var/log/pki/pki-tomcat >>rm -rf /etc/sysconfig/pki-tomcat >>rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat >>rm -rf /var/lib/pki/pki-tomcat >>rm -rf /etc/pki/pki-tomcat > >It's not official, but we call this step pki-nuke. > >>It also helps to reboot between multiple reinstalls on a single machine. > >Rather than rolling back the installation automatically (and delete all >files needed to troubleshoot the problem), it would be better to >provide an option to the uninstall command to forcibly remove all >installed files regardless whether the installation was successful or >not, just like the pki-nuke above. We simply have no information about the fact what pkicreate did before it failed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project