Re: [Freeipa-users] CS.cfg empty
Ok, thanks for info. In case you find out the root cause that could help us fix IPA/PKI, please reach back to us. Martin On 01/27/2014 08:00 PM, Bret Wortman wrote: > # rpm -q pki-ca > pki-ca-10.0.6-1.fc18.noarch > > There were versions found under two other locations (it may have been these -- > we had to nuke the box and start over, so the filesystem isn't in the same > state it was when this began). I tried starting the service with each of them > but neither worked. > > We've built a new server and will be replicating this one so that this doesn't > happen again. We hope > > > Bret > > On 01/27/2014 11:31 AM, Ade Lee wrote: >> Bret, >> >> What version is the Dogtag instance on that server? (rpm -q pki-ca) >> >> We have seen cases when the CS.cfg has zero length - and have modified >> code to: >> 1) not write to CS.cfg on startup >> 2) backup the CS.cfg on upgrades. >> >> Under normal operations, unless you are configuring the Dogtag instance >> - which would not be happening during normal IPA operations, the CS.cfg >> should not be written to. >> >> Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca >> (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ? >> >> Ade >> >> On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote: >>> Martin, >>> >>> The only other systems I have running IPA are on another network. I >>> could take their CS.cfg file and try to modify it to fit what this one >>> should have had, but that's my only option. >>> >>> On the up side, this is a relatively small network, and reinstating the >>> users and hosts won't be an enormous task. Big, but not enormous. And I >>> should have had a backup, especially knowing there was a scheduled power >>> outage coming up. Because those are always problem-free ;-) >>> >>> >>> Bret >>> >>> On 01/27/2014 04:14 AM, Martin Kosek wrote: On 01/27/2014 01:51 AM, Bret Wortman wrote: > We had to reboot the IPA server on a standalone network recently, and this > IPA server is the only one on that network; there are no replicas. Upon > restarting, the IPA software refused to start because, after a couple > hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. > > How can I most easily restore this file given that I doubt we have a > backup (our bad)? Is there a way to basically reinstall the server without > losing the data in the database? Our users and host definitions, anyway? > > Thanks! > > > Bret Hello Bret, Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg while the IPA server restarted. What version of IPA and PKI are we talking about? Do you have any other PKI server with CA you can use as a source of the CS.cfg file or as a replica to reinstall the IPA server with CA from (in the worst case)? I am adding PKI developers to the CC to advise. Martin >>> >> > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CS.cfg empty
# rpm -q pki-ca pki-ca-10.0.6-1.fc18.noarch There were versions found under two other locations (it may have been these -- we had to nuke the box and start over, so the filesystem isn't in the same state it was when this began). I tried starting the service with each of them but neither worked. We've built a new server and will be replicating this one so that this doesn't happen again. We hope Bret On 01/27/2014 11:31 AM, Ade Lee wrote: Bret, What version is the Dogtag instance on that server? (rpm -q pki-ca) We have seen cases when the CS.cfg has zero length - and have modified code to: 1) not write to CS.cfg on startup 2) backup the CS.cfg on upgrades. Under normal operations, unless you are configuring the Dogtag instance - which would not be happening during normal IPA operations, the CS.cfg should not be written to. Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ? Ade On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote: Martin, The only other systems I have running IPA are on another network. I could take their CS.cfg file and try to modify it to fit what this one should have had, but that's my only option. On the up side, this is a relatively small network, and reinstating the users and hosts won't be an enormous task. Big, but not enormous. And I should have had a backup, especially knowing there was a scheduled power outage coming up. Because those are always problem-free ;-) Bret On 01/27/2014 04:14 AM, Martin Kosek wrote: On 01/27/2014 01:51 AM, Bret Wortman wrote: We had to reboot the IPA server on a standalone network recently, and this IPA server is the only one on that network; there are no replicas. Upon restarting, the IPA software refused to start because, after a couple hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. How can I most easily restore this file given that I doubt we have a backup (our bad)? Is there a way to basically reinstall the server without losing the data in the database? Our users and host definitions, anyway? Thanks! Bret Hello Bret, Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg while the IPA server restarted. What version of IPA and PKI are we talking about? Do you have any other PKI server with CA you can use as a source of the CS.cfg file or as a replica to reinstall the IPA server with CA from (in the worst case)? I am adding PKI developers to the CC to advise. Martin smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CS.cfg empty
Bret, What version is the Dogtag instance on that server? (rpm -q pki-ca) We have seen cases when the CS.cfg has zero length - and have modified code to: 1) not write to CS.cfg on startup 2) backup the CS.cfg on upgrades. Under normal operations, unless you are configuring the Dogtag instance - which would not be happening during normal IPA operations, the CS.cfg should not be written to. Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ? Ade On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote: > Martin, > > The only other systems I have running IPA are on another network. I > could take their CS.cfg file and try to modify it to fit what this one > should have had, but that's my only option. > > On the up side, this is a relatively small network, and reinstating the > users and hosts won't be an enormous task. Big, but not enormous. And I > should have had a backup, especially knowing there was a scheduled power > outage coming up. Because those are always problem-free ;-) > > > Bret > > On 01/27/2014 04:14 AM, Martin Kosek wrote: > > On 01/27/2014 01:51 AM, Bret Wortman wrote: > >> We had to reboot the IPA server on a standalone network recently, and this > >> IPA server is the only one on that network; there are no replicas. Upon > >> restarting, the IPA software refused to start because, after a couple > >> hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. > >> > >> How can I most easily restore this file given that I doubt we have a > >> backup (our bad)? Is there a way to basically reinstall the server without > >> losing the data in the database? Our users and host definitions, anyway? > >> > >> Thanks! > >> > >> > >> Bret > > Hello Bret, > > > > Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg > > while the IPA server restarted. What version of IPA and PKI are we talking > > about? > > > > Do you have any other PKI server with CA you can use as a source of the > > CS.cfg > > file or as a replica to reinstall the IPA server with CA from (in the worst > > case)? > > > > I am adding PKI developers to the CC to advise. > > > > Martin > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CS.cfg empty
Martin, The only other systems I have running IPA are on another network. I could take their CS.cfg file and try to modify it to fit what this one should have had, but that's my only option. On the up side, this is a relatively small network, and reinstating the users and hosts won't be an enormous task. Big, but not enormous. And I should have had a backup, especially knowing there was a scheduled power outage coming up. Because those are always problem-free ;-) Bret On 01/27/2014 04:14 AM, Martin Kosek wrote: On 01/27/2014 01:51 AM, Bret Wortman wrote: We had to reboot the IPA server on a standalone network recently, and this IPA server is the only one on that network; there are no replicas. Upon restarting, the IPA software refused to start because, after a couple hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. How can I most easily restore this file given that I doubt we have a backup (our bad)? Is there a way to basically reinstall the server without losing the data in the database? Our users and host definitions, anyway? Thanks! Bret Hello Bret, Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg while the IPA server restarted. What version of IPA and PKI are we talking about? Do you have any other PKI server with CA you can use as a source of the CS.cfg file or as a replica to reinstall the IPA server with CA from (in the worst case)? I am adding PKI developers to the CC to advise. Martin smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CS.cfg empty
On 01/27/2014 01:51 AM, Bret Wortman wrote: > We had to reboot the IPA server on a standalone network recently, and this > IPA server is the only one on that network; there are no replicas. Upon > restarting, the IPA software refused to start because, after a couple hours > of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. > > How can I most easily restore this file given that I doubt we have a backup > (our bad)? Is there a way to basically reinstall the server without losing > the data in the database? Our users and host definitions, anyway? > > Thanks! > > > Bret Hello Bret, Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg while the IPA server restarted. What version of IPA and PKI are we talking about? Do you have any other PKI server with CA you can use as a source of the CS.cfg file or as a replica to reinstall the IPA server with CA from (in the worst case)? I am adding PKI developers to the CC to advise. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] CS.cfg empty
We had to reboot the IPA server on a standalone network recently, and this IPA server is the only one on that network; there are no replicas. Upon restarting, the IPA software refused to start because, after a couple hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. How can I most easily restore this file given that I doubt we have a backup (our bad)? Is there a way to basically reinstall the server without losing the data in the database? Our users and host definitions, anyway? Thanks! Bret smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users