subject:"Re\: \[Freeipa\-users\] PKI\-CA fails to start \(broken config after update\?\)"

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Ade Lee

On Wed, 2014-09-24 at 16:33 -0400, Ade Lee wrote:
> On Wed, 2014-09-24 at 16:24 -0400, Rob Crittenden wrote:
> > Dmitri Pal wrote:
> > > On 09/24/2014 03:29 PM, Rob Crittenden wrote:
> > >> Dmitri Pal wrote:
> > >>> On 09/24/2014 02:07 PM, swartz wrote:
> >  On 9/24/2014 9:05 AM, Ade Lee wrote:
> > > Forwarding to a couple of colleagues of mine who will be taking
> > > point on
> > > this.
> > >
> > >   From what I can see, the CS.cfg is truncated.  Fortunately, I
> > > believe it
> > > is reparable.
> > >
> > > Ade
> >  I've been in contact with Endi and Ade. It was a truncated config file
> >  as per msg above.
> >  Endi had emailed me a restored config.
> > 
> >  I can happily say that my IPA instance is back in operation.
> > 
> >  Thank you all.
> > 
> >  For anyone else reading this:
> >  For me this config truncation happened after a 'yum update'.
> >  Perhaps shutting down the IPA stack before doing package updates might
> >  be more advisable.
> > 
> > 
> > >>> Is there any chance to detect which package caused this truncation?
> > >>>
> > >> It was almost certainly related to IPA, if not ipa-upgradeconfig
> > >> directly. For any number of reasons it may write directly to CS.cfg
> > >> without stopping the service first. It may also call the dogtag-provided
> > >> pki-setup-proxy which also doesn't stop the service before touching
> > >> CS.cfg.
> > >>
> > >> The upgrader will then determine if any changes were made and restart
> > >> the service.
> > >>
> > >> rob
> > > So is it a race condition? Something does not sound right.
> > > 
> > 
> > What I don't understand is: if dogtag always writes CS.cfg on exit, why
> > does this work the majority of the time?
> 
> Dogtag does not write CS.cfg on exit (like 389).  Rather, if there are
> changes to CS.cfg, they will be committed and the file will be changed
> and the in-memory version of CS.cfg will be written at that time.
> 
> I think what we're seeing is two different things modifying the CS,cfg
> at the same time (or at least within the time frame of whatever file
> buffering is going on).  In other cases where I've seen this, I see
> CS.cfg end up the size of n * file buffer.
> 
> Shutting down CA before changing CS.cfg is a way of preventing access by
> more than one source at the same time.
> 
In the long term of course, we need to provide an interface to dogtag to
allow these types of changes by the dogtag server.

> > 
> > But anyway, it sounds like we need to shut down dogtag every time we
> > touch CS.cfg which isn't a big deal but it will change the way we do
> > some things.
> > 
> > rob
> > 
> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Ade Lee

On Wed, 2014-09-24 at 16:24 -0400, Rob Crittenden wrote:
> Dmitri Pal wrote:
> > On 09/24/2014 03:29 PM, Rob Crittenden wrote:
> >> Dmitri Pal wrote:
> >>> On 09/24/2014 02:07 PM, swartz wrote:
>  On 9/24/2014 9:05 AM, Ade Lee wrote:
> > Forwarding to a couple of colleagues of mine who will be taking
> > point on
> > this.
> >
> >   From what I can see, the CS.cfg is truncated.  Fortunately, I
> > believe it
> > is reparable.
> >
> > Ade
>  I've been in contact with Endi and Ade. It was a truncated config file
>  as per msg above.
>  Endi had emailed me a restored config.
> 
>  I can happily say that my IPA instance is back in operation.
> 
>  Thank you all.
> 
>  For anyone else reading this:
>  For me this config truncation happened after a 'yum update'.
>  Perhaps shutting down the IPA stack before doing package updates might
>  be more advisable.
> 
> 
> >>> Is there any chance to detect which package caused this truncation?
> >>>
> >> It was almost certainly related to IPA, if not ipa-upgradeconfig
> >> directly. For any number of reasons it may write directly to CS.cfg
> >> without stopping the service first. It may also call the dogtag-provided
> >> pki-setup-proxy which also doesn't stop the service before touching
> >> CS.cfg.
> >>
> >> The upgrader will then determine if any changes were made and restart
> >> the service.
> >>
> >> rob
> > So is it a race condition? Something does not sound right.
> > 
> 
> What I don't understand is: if dogtag always writes CS.cfg on exit, why
> does this work the majority of the time?

Dogtag does not write CS.cfg on exit (like 389).  Rather, if there are
changes to CS.cfg, they will be committed and the file will be changed
and the in-memory version of CS.cfg will be written at that time.

I think what we're seeing is two different things modifying the CS,cfg
at the same time (or at least within the time frame of whatever file
buffering is going on).  In other cases where I've seen this, I see
CS.cfg end up the size of n * file buffer.

Shutting down CA before changing CS.cfg is a way of preventing access by
more than one source at the same time.

> 
> But anyway, it sounds like we need to shut down dogtag every time we
> touch CS.cfg which isn't a big deal but it will change the way we do
> some things.
> 
> rob
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Rob Crittenden

Dmitri Pal wrote:
> On 09/24/2014 03:29 PM, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> On 09/24/2014 02:07 PM, swartz wrote:
 On 9/24/2014 9:05 AM, Ade Lee wrote:
> Forwarding to a couple of colleagues of mine who will be taking
> point on
> this.
>
>   From what I can see, the CS.cfg is truncated.  Fortunately, I
> believe it
> is reparable.
>
> Ade
 I've been in contact with Endi and Ade. It was a truncated config file
 as per msg above.
 Endi had emailed me a restored config.

 I can happily say that my IPA instance is back in operation.

 Thank you all.

 For anyone else reading this:
 For me this config truncation happened after a 'yum update'.
 Perhaps shutting down the IPA stack before doing package updates might
 be more advisable.

>>> Is there any chance to detect which package caused this truncation?
>>>
>> It was almost certainly related to IPA, if not ipa-upgradeconfig
>> directly. For any number of reasons it may write directly to CS.cfg
>> without stopping the service first. It may also call the dogtag-provided
>> pki-setup-proxy which also doesn't stop the service before touching
>> CS.cfg.
>>
>> The upgrader will then determine if any changes were made and restart
>> the service.
>>
>> rob
> So is it a race condition? Something does not sound right.
> 

What I don't understand is: if dogtag always writes CS.cfg on exit, why
does this work the majority of the time?

But anyway, it sounds like we need to shut down dogtag every time we
touch CS.cfg which isn't a big deal but it will change the way we do
some things.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Dmitri Pal


On 09/24/2014 03:29 PM, Rob Crittenden wrote:

Dmitri Pal wrote:

On 09/24/2014 02:07 PM, swartz wrote:

On 9/24/2014 9:05 AM, Ade Lee wrote:

Forwarding to a couple of colleagues of mine who will be taking point on
this.

  From what I can see, the CS.cfg is truncated.  Fortunately, I
believe it
is reparable.

Ade

I've been in contact with Endi and Ade. It was a truncated config file
as per msg above.
Endi had emailed me a restored config.

I can happily say that my IPA instance is back in operation.

Thank you all.

For anyone else reading this:
For me this config truncation happened after a 'yum update'.
Perhaps shutting down the IPA stack before doing package updates might
be more advisable.



Is there any chance to detect which package caused this truncation?


It was almost certainly related to IPA, if not ipa-upgradeconfig
directly. For any number of reasons it may write directly to CS.cfg
without stopping the service first. It may also call the dogtag-provided
pki-setup-proxy which also doesn't stop the service before touching CS.cfg.

The upgrader will then determine if any changes were made and restart
the service.

rob

So is it a race condition? Something does not sound right.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Rob Crittenden

Dmitri Pal wrote:
> On 09/24/2014 02:07 PM, swartz wrote:
>> On 9/24/2014 9:05 AM, Ade Lee wrote:
>>> Forwarding to a couple of colleagues of mine who will be taking point on
>>> this.
>>>
>>>  From what I can see, the CS.cfg is truncated.  Fortunately, I
>>> believe it
>>> is reparable.
>>>
>>> Ade
>>
>> I've been in contact with Endi and Ade. It was a truncated config file
>> as per msg above.
>> Endi had emailed me a restored config.
>>
>> I can happily say that my IPA instance is back in operation.
>>
>> Thank you all.
>>
>> For anyone else reading this:
>> For me this config truncation happened after a 'yum update'.
>> Perhaps shutting down the IPA stack before doing package updates might
>> be more advisable.
>>
>>
> Is there any chance to detect which package caused this truncation?
> 

It was almost certainly related to IPA, if not ipa-upgradeconfig
directly. For any number of reasons it may write directly to CS.cfg
without stopping the service first. It may also call the dogtag-provided
pki-setup-proxy which also doesn't stop the service before touching CS.cfg.

The upgrader will then determine if any changes were made and restart
the service.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Dmitri Pal


On 09/24/2014 02:07 PM, swartz wrote:

On 9/24/2014 9:05 AM, Ade Lee wrote:

Forwarding to a couple of colleagues of mine who will be taking point on
this.

 From what I can see, the CS.cfg is truncated.  Fortunately, I 
believe it

is reparable.

Ade


I've been in contact with Endi and Ade. It was a truncated config file 
as per msg above.

Endi had emailed me a restored config.

I can happily say that my IPA instance is back in operation.

Thank you all.

For anyone else reading this:
For me this config truncation happened after a 'yum update'.
Perhaps shutting down the IPA stack before doing package updates might 
be more advisable.




Is there any chance to detect which package caused this truncation?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread swartz


On 9/24/2014 9:05 AM, Ade Lee wrote:

Forwarding to a couple of colleagues of mine who will be taking point on
this.

 From what I can see, the CS.cfg is truncated.  Fortunately, I believe it
is reparable.

Ade


I've been in contact with Endi and Ade. It was a truncated config file 
as per msg above.

Endi had emailed me a restored config.

I can happily say that my IPA instance is back in operation.

Thank you all.

For anyone else reading this:
For me this config truncation happened after a 'yum update'.
Perhaps shutting down the IPA stack before doing package updates might 
be more advisable.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread Endi Sukma Dewata


On 9/23/2014 6:35 PM, swartz wrote:

On 9/22/2014 7:59 PM, Ade Lee wrote:

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?



I'd have to say no. It doesn't look truncated to me. At least there are
no obvious signs. But then again I don't know everything that is suppose
to be there. I know that the line starting  with
"pkicreate.unsecure_port=" isn't there, that's for sure. Hence why init
script fails to start PKI-CA.


Hi,

Ade and I looked at the file that you sent, and I sent you an updated 
CS.cfg based on my system (and you indicated that it's working now). I 
noticed that your original file contains the following line:


  cloning.ocsp_signing.dn=CN=OCSP Subsys

where it probably should have been something like this:

  cloning.ocsp_signing.dn=CN=OCSP Subsysstem,O=CS.MYDOMAIN.CA

Also, it's missing the next ~400 lines which seem to have been replaced 
with these lines:


  proxy.securePort=443
  proxy.unsecurePort=80

So we're suspecting that something was adding these proxy parameters 
directly to CS.cfg while the CA is saving configuration changes to 
CS.cfg too. Luckily your original CS.cfg still contains enough 
information to fully restore the file. I guess we need someone who's 
more familiar with the IPA & CA upgrade process to take a look at this 
more closely.


The CS.cfg is actually owned by the CA server, but sometimes people are 
advised to change the file directly, and maybe some codes are written 
that way too. There are some ways to avoid this kind of problems in the 
future:


1. Require CA to be shutdown before changing CS.cfg directly.
2. Prohibit direct access to the file and require the use of tools that 
send the changes to the CA server (e.g. via CLI/REST).
3. Break CS.cfg into user-owned and server-owned parameters, and move 
mostly-static parameters into a separate default file.

4. Replace CS.cfg with LDAP-based configuration.

In the short term we might be limited to #1, but in the long term we 
might be able to implement the other options.


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-23 Thread swartz


On 9/22/2014 7:59 PM, Ade Lee wrote:

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?
I'd have to say no. It doesn't look truncated to me. At least there are 
no obvious signs. But then again I don't know everything that is suppose 
to be there. I know that the line starting  with 
"pkicreate.unsecure_port=" isn't there, that's for sure. Hence why init 
script fails to start PKI-CA.




If you have backups of the CS.cfg, that will help.  Also, you could look
for backups that we have created:

Sadly there were no backups. This was a test/dev VM with no backup policy.

find /var/lib/pki-ca -name CS.cfg*
find /var/log -name CS.cfg*
I've replied to you directly with all CS.cfg* files I could find. Most 
appear to be templates and not backups as per your message.



Also, do you have a replica CA?
Yes and no.  The master was originally configured with a replica but the 
test replica VM was not used after that and was shutdown and removed.


PS. I replied to the wrong email. Ooops, sorry.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-23 Thread swartz


On 9/22/2014 7:59 PM, Ade Lee wrote:

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?
I'd have to say no. It doesn't look truncated to me. At least there are 
no obvious signs. But then again I don't know everything that is suppose 
to be there. I know that the line starting  with 
"pkicreate.unsecure_port=" isn't there, that's for sure. Hence why init 
script fails to start PKI-CA.




If you have backups of the CS.cfg, that will help.  Also, you could look
for backups that we have created:

Sadly there were no backups. This was a test/dev VM with no backup policy.

find /var/lib/pki-ca -name CS.cfg*
find /var/log -name CS.cfg*
I've replied to you directly with all CS.cfg* files I could find. Most 
appear to be templates and not backups as per your message.



Also, do you have a replica CA?
Yes and no.  The master was originally configured with a replica but the 
test replica VM was not used after that and was shutdown and removed.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread Martin Kosek

On 09/23/2014 03:59 AM, Ade Lee wrote:
> On Mon, 2014-09-22 at 13:39 -0600, swartz wrote:
>> On 9/22/2014 9:14 AM, Ade Lee wrote:
>>> Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? 
>>  >ls -l /etc/pki-ca/CS.cfg
>> -rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg
>>
> In very rare cases, I've seen cases where the CS.cfg becomes truncated
> during an update.  Unfortunately, we have not been able to reproduce the
> event.  In later versions of dogtag, we make sure to save the CS.cfg
> just in case.
> 
> Your instance sounds like a truncated CS.cfg instance, but the size is a
> lot larger than cases I've seen before, so I don't want to jump to that
> conclusion yet.

JFTR, FreeIPA may have been involved as well, we had a related fix in FreeIPA
4.0.2:
https://fedorahosted.org/freeipa/ticket/4166

> 
> If you scroll to the end of the CS.cfg, does it look like it has been
> truncated?
> 
> If you have backups of the CS.cfg, that will help.  Also, you could look
> for backups that we have created:
> 
> find /var/lib/pki-ca -name CS.cfg*
> find /var/log -name CS.cfg*
> 
> Also, do you have a replica CA?
> 
> Ade
> 
>> I know that I did NOT change the configs myself. But something certainly 
>> did during 'yum update'.
>> There are no .rpmsave or .rpmnew files that would typically be created 
>> if configs are properly marked in RPM spec file.
>>
>> There are two other files that exist though:
>> -rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
>> -rw-rw. 1 pkiuser pkiuser 65955 Sep  5  2013 CS.cfg.in.p33
>>
>> However, they are not usable either in place of current CS.cfg.
>>
> The above files are templates only.  They are modified during instance
> configuration.
>>
 There have been no updates recently on rhel 6 to the pki packages.
 There has, however, been an update to tomcat - which broke dogtag
 startups.

 What version of tomcat6 is on your system?
>>  >rpm -qa tomcat6
>> tomcat6-6.0.24-78.el6_5.noarch
>>
>>
> This tomcat version should still be a working one.  The tomcat6 then
> broke things has not made it out yet, having been discovered in QE
> testing.
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread Ade Lee

On Mon, 2014-09-22 at 13:39 -0600, swartz wrote:
> On 9/22/2014 9:14 AM, Ade Lee wrote:
> > Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? 
>  >ls -l /etc/pki-ca/CS.cfg
> -rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg
> 
In very rare cases, I've seen cases where the CS.cfg becomes truncated
during an update.  Unfortunately, we have not been able to reproduce the
event.  In later versions of dogtag, we make sure to save the CS.cfg
just in case.

Your instance sounds like a truncated CS.cfg instance, but the size is a
lot larger than cases I've seen before, so I don't want to jump to that
conclusion yet.

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?

If you have backups of the CS.cfg, that will help.  Also, you could look
for backups that we have created:

find /var/lib/pki-ca -name CS.cfg*
find /var/log -name CS.cfg*

Also, do you have a replica CA?

Ade

> I know that I did NOT change the configs myself. But something certainly 
> did during 'yum update'.
> There are no .rpmsave or .rpmnew files that would typically be created 
> if configs are properly marked in RPM spec file.
> 
> There are two other files that exist though:
> -rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
> -rw-rw. 1 pkiuser pkiuser 65955 Sep  5  2013 CS.cfg.in.p33
> 
> However, they are not usable either in place of current CS.cfg.
> 
The above files are templates only.  They are modified during instance
configuration.
> 
> >> There have been no updates recently on rhel 6 to the pki packages.
> >> There has, however, been an update to tomcat - which broke dogtag
> >> startups.
> >>
> >> What version of tomcat6 is on your system?
>  >rpm -qa tomcat6
> tomcat6-6.0.24-78.el6_5.noarch
> 
> 
This tomcat version should still be a working one.  The tomcat6 then
broke things has not made it out yet, having been discovered in QE
testing.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread swartz

On 9/22/2014 9:14 AM, Ade Lee wrote:
Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? 

>ls -l /etc/pki-ca/CS.cfg
-rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg

I know that I did NOT change the configs myself. But something certainly 
did during 'yum update'.
There are no .rpmsave or .rpmnew files that would typically be created 
if configs are properly marked in RPM spec file.

There are two other files that exist though:
-rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
-rw-rw. 1 pkiuser pkiuser 65955 Sep  5  2013 CS.cfg.in.p33

However, they are not usable either in place of current CS.cfg.

There have been no updates recently on rhel 6 to the pki packages.
There has, however, been an update to tomcat - which broke dogtag
startups.

What version of tomcat6 is on your system?

>rpm -qa tomcat6
tomcat6-6.0.24-78.el6_5.noarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread Ade Lee

On Mon, 2014-09-22 at 10:43 -0400, Ade Lee wrote:
> On Mon, 2014-09-22 at 10:50 +0200, Martin Kosek wrote:
> > On 09/20/2014 01:02 AM, swartz wrote:
> > > Hello,
> > > 
> > > Encountered same issue as described here:
> > > https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
> > > https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
> > > 
> > > Plain vanilla IPA setup. No changes, no customizations.
> > > Recently IPA fails to start. Error happened right after a 'yum update' 
> > > and reboot.
> > > 
> > > ---
> > > Starting pki-ca:   [  OK  ]
> > > Usage: grep [OPTION]... PATTERN [FILE]...
> > > Try `grep --help' for more information.
> > > Usage: grep [OPTION]... PATTERN [FILE]...
> > > Try `grep --help' for more information.
> > > Usage: grep [OPTION]... PATTERN [FILE]...
> > > Try `grep --help' for more information.
> > > ...
> > > Failed to start CA Service
> > > Shutting down
> > > 
> > > 
> > > Digging into the matter further...
> > > The line that causes the error above is in 
> > > /usr/share/pki/scripts/functions
> > > (which is loaded by pki-ca init script):
> > > netstat -antl | grep ${port} > /dev/null
> > > 
> > > The $port variable is blank so call to grep is without a search parameter.
> > > Hence invalid call to grep and subsequent error msg I'm seeing as above.
> > > 
> > > $port is defined just a few lines above as
> > > port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} 
> > > | cut
> > > -b25- -`
> > > 
> > > BUT! For whatever reason there is no line that starts with
> > > "pkicreate.unsecure_port" in $pki_instance_configuration_file
> > > (/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use 
> > > in grep.
> > > 
> > > Why there is no such line in config file where one is expected is unknown 
> > > to me...
> > > 
> > > Versions currently installed
> > > ipa-server-3.0.0-37.el6.x86_64
> > > pki-ca-9.0.3-32.el6.noarch
> > > 
> > > Did updates to pki packages clobber the configs? What got broken? How do I
> > > resolve it?
> > > 
> 
Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ?

> There have been no updates recently on rhel 6 to the pki packages.
> There has, however, been an update to tomcat - which broke dogtag
> startups.
> 
> What version of tomcat6 is on your system?
> 
> > > Thank you.
> > 
> > Also please see another PKI crash on EL6 reported on freeipa-users:
> > 
> > https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html
> > 
> > This is not the first time this issue was reported, but we got no response 
> > from
> > PKI team, even though I CCed several members (maybe that was actually the 
> > root
> > case).
> > 
> > The PKI installation errors are piling up (7.1 too), I would like to resolve
> > that very soon so that we are not seen as too unstable software.
> > 
> The issues on 7.1 are tomcat related too.  Builds were completed last
> week to address these.
> 
> > Thanks for help,
> > Martin
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread Ade Lee

On Mon, 2014-09-22 at 10:50 +0200, Martin Kosek wrote:
> On 09/20/2014 01:02 AM, swartz wrote:
> > Hello,
> > 
> > Encountered same issue as described here:
> > https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
> > https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
> > 
> > Plain vanilla IPA setup. No changes, no customizations.
> > Recently IPA fails to start. Error happened right after a 'yum update' and 
> > reboot.
> > 
> > ---
> > Starting pki-ca:   [  OK  ]
> > Usage: grep [OPTION]... PATTERN [FILE]...
> > Try `grep --help' for more information.
> > Usage: grep [OPTION]... PATTERN [FILE]...
> > Try `grep --help' for more information.
> > Usage: grep [OPTION]... PATTERN [FILE]...
> > Try `grep --help' for more information.
> > ...
> > Failed to start CA Service
> > Shutting down
> > 
> > 
> > Digging into the matter further...
> > The line that causes the error above is in /usr/share/pki/scripts/functions
> > (which is loaded by pki-ca init script):
> > netstat -antl | grep ${port} > /dev/null
> > 
> > The $port variable is blank so call to grep is without a search parameter.
> > Hence invalid call to grep and subsequent error msg I'm seeing as above.
> > 
> > $port is defined just a few lines above as
> > port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} | 
> > cut
> > -b25- -`
> > 
> > BUT! For whatever reason there is no line that starts with
> > "pkicreate.unsecure_port" in $pki_instance_configuration_file
> > (/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use 
> > in grep.
> > 
> > Why there is no such line in config file where one is expected is unknown 
> > to me...
> > 
> > Versions currently installed
> > ipa-server-3.0.0-37.el6.x86_64
> > pki-ca-9.0.3-32.el6.noarch
> > 
> > Did updates to pki packages clobber the configs? What got broken? How do I
> > resolve it?
> > 

There have been no updates recently on rhel 6 to the pki packages.
There has, however, been an update to tomcat - which broke dogtag
startups.

What version of tomcat6 is on your system?

> > Thank you.
> 
> Also please see another PKI crash on EL6 reported on freeipa-users:
> 
> https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html
> 
> This is not the first time this issue was reported, but we got no response 
> from
> PKI team, even though I CCed several members (maybe that was actually the root
> case).
> 
> The PKI installation errors are piling up (7.1 too), I would like to resolve
> that very soon so that we are not seen as too unstable software.
> 
The issues on 7.1 are tomcat related too.  Builds were completed last
week to address these.

> Thanks for help,
> Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread Martin Kosek

On 09/20/2014 01:02 AM, swartz wrote:
> Hello,
> 
> Encountered same issue as described here:
> https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
> https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
> 
> Plain vanilla IPA setup. No changes, no customizations.
> Recently IPA fails to start. Error happened right after a 'yum update' and 
> reboot.
> 
> ---
> Starting pki-ca:   [  OK  ]
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> ...
> Failed to start CA Service
> Shutting down
> 
> 
> Digging into the matter further...
> The line that causes the error above is in /usr/share/pki/scripts/functions
> (which is loaded by pki-ca init script):
> netstat -antl | grep ${port} > /dev/null
> 
> The $port variable is blank so call to grep is without a search parameter.
> Hence invalid call to grep and subsequent error msg I'm seeing as above.
> 
> $port is defined just a few lines above as
> port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} | 
> cut
> -b25- -`
> 
> BUT! For whatever reason there is no line that starts with
> "pkicreate.unsecure_port" in $pki_instance_configuration_file
> (/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use in 
> grep.
> 
> Why there is no such line in config file where one is expected is unknown to 
> me...
> 
> Versions currently installed
> ipa-server-3.0.0-37.el6.x86_64
> pki-ca-9.0.3-32.el6.noarch
> 
> Did updates to pki packages clobber the configs? What got broken? How do I
> resolve it?
> 
> Thank you.

Also please see another PKI crash on EL6 reported on freeipa-users:

https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html

This is not the first time this issue was reported, but we got no response from
PKI team, even though I CCed several members (maybe that was actually the root
case).

The PKI installation errors are piling up (7.1 too), I would like to resolve
that very soon so that we are not seen as too unstable software.

Thanks for help,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

16 matches

Site Navigation

Mail list logo

Footer information