[Freeipa-users] CS.cfg empty

Martin Kosek mkosek at redhat.com
Tue Jan 28 07:27:43 UTC 2014 

Ok, thanks for info. In case you find out the root cause that could help us fix
IPA/PKI, please reach back to us.

Martin

On 01/27/2014 08:00 PM, Bret Wortman wrote:
> # rpm -q pki-ca
> pki-ca-10.0.6-1.fc18.noarch
> 
> There were versions found under two other locations (it may have been these --
> we had to nuke the box and start over, so the filesystem isn't in the same
> state it was when this began). I tried starting the service with each of them
> but neither worked.
> 
> We've built a new server and will be replicating this one so that this doesn't
> happen again. We hope....
> 
> 
> Bret
> 
> On 01/27/2014 11:31 AM, Ade Lee wrote:
>> Bret,
>>
>> What version is the Dogtag instance on that server? (rpm -q pki-ca)
>>
>> We have seen cases when the CS.cfg has zero length - and have modified
>> code to:
>> 1) not write to CS.cfg on startup
>> 2) backup the CS.cfg on upgrades.
>>
>> Under normal operations, unless you are configuring the Dogtag instance
>> - which would not be happening during normal IPA operations, the CS.cfg
>> should not be written to.
>>
>> Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca
>> (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ?
>>
>> Ade
>>
>> On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote:
>>> Martin,
>>>
>>> The only other systems I have running IPA are on another network. I
>>> could take their CS.cfg file and try to modify it to fit what this one
>>> should have had, but that's my only option.
>>>
>>> On the up side, this is a relatively small network, and reinstating the
>>> users and hosts won't be an enormous task. Big, but not enormous. And I
>>> should have had a backup, especially knowing there was a scheduled power
>>> outage coming up. Because those are always problem-free....  ;-)
>>>
>>>
>>> Bret
>>>
>>> On 01/27/2014 04:14 AM, Martin Kosek wrote:
>>>> On 01/27/2014 01:51 AM, Bret Wortman wrote:
>>>>> We had to reboot the IPA server on a standalone network recently, and this
>>>>> IPA server is the only one on that network; there are no replicas. Upon
>>>>> restarting, the IPA software refused to start because, after a couple
>>>>> hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length.
>>>>>
>>>>> How can I most easily restore this file given that I doubt we have a
>>>>> backup (our bad)? Is there a way to basically reinstall the server without
>>>>> losing the data in the database? Our users and host definitions, anyway?
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>> Bret
>>>> Hello Bret,
>>>>
>>>> Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg
>>>> while the IPA server restarted. What version of IPA and PKI are we talking
>>>> about?
>>>>
>>>> Do you have any other PKI server with CA you can use as a source of the CS.cfg
>>>> file or as a replica to reinstall the IPA server with CA from (in the worst
>>>> case)?
>>>>
>>>> I am adding PKI developers to the CC to advise.
>>>>
>>>> Martin
>>>
>>
> 
>

More information about the Freeipa-users mailing list