<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Hi,</p> <p><br> </p> <p>I am in a similar boat, well RHEL6.7 to RHEL7.1. I joined a RHEL7.1 / IPA4.1 to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was ca-less. Did a full backup on the RHEL7.1 / IPA 4.1. Blew away the ipa server, installed fresh, pki-tomcat runs, did a restore and pki-tomcat doesnt run.</p> <p><br> </p> <p>btw what does --data do? I tried that before a full restore and no passwords worked ie i could not login and no users worked at all, so it seems pointless? or maybe rather what is it for? and when to use it?<br> </p> <p><br> </p> <p><br> </p> <div id="Signature"> <div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0"> <div style="font-family:Tahoma; font-size:13px"> <div style="font-family:Tahoma; font-size:13px"> <div style="font-family:Tahoma; font-size:13px"> <p>regards</p> <p>Steven<br> </p> </div> </div> </div> </div> </div> <br> <div style="color: rgb(49, 55, 57);"> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> freeipa-users-bounces@redhat.com <freeipa-users-bounces@redhat.com> on behalf of Alexandre Ellert <ellertalexandre@gmail.com><br> <b>Sent:</b> Wednesday, 16 September 2015 12:09 a.m.<br> <b>To:</b> Martin Babinsky<br> <b>Cc:</b> freeipa-users@redhat.com; Alexander Bokovoy<br> <b>Subject:</b> Re: [Freeipa-users] Failed to start pki-tomcatd Service</font> <div> </div> </div> <div> <div dir="ltr"> <div> <div> <div>So, here is the recap :<br> </div> I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two.<br> Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK.<br> </div> After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two.<br> <br> Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI...<br> <br> </div> <div>Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ?<br> <br> </div> <div>Please advice.<br> </div> <div><br> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">2015-09-07 13:36 GMT+02:00 Alexandre Ellert <span dir="ltr"> <<a href="mailto:ellertalexandre@gmail.com" target="_blank">ellertalexandre@gmail.com</a>></span>:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex"> <div class="HOEnZb"> <div class="h5"><br> > Le 4 sept. 2015 à 16:37, Martin Babinsky <<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a>> a écrit :<br> ><br> > On 08/28/2015 05:46 PM, Alexandre Ellert wrote:<br> >><br> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> a écrit :<br> >>><br> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:<br> >>>><br> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> a écrit :<br> >>>>><br> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:<br> >>>>>><br> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> a écrit :<br> >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy another<br> >>>>>>>> replica ?<br> >>>>>>> You may try that. Sorry for not responding, I have some other tasks that<br> >>>>>>> occupy my time right now.<br> >>>>>>><br> >>>>>><br> >>>>>><br> >>>>>> Can you please tell me the procedure to decommission and re-create a new replica ?<br> >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only things to do ?<br> >>>>> No, you need also to remove the server from the replication topology.<br> >>>>> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html" rel="noreferrer" target="_blank"> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html</a><br> >>>>><br> >>>>> --<br> >>>>> / Alexander Bokovoy<br> >>>><br> >>>> I can’t remove the node on which I have problem with pki-tomcatd :<br> >>>><br> >>>> # ipa-replica-manage del <a href="http://xxxx.example.com" rel="noreferrer" target="_blank"> xxxx.example.com</a><br> >>>> Deleting a master is irreversible.<br> >>>> To reconnect to the remote master you will need to prepare a new replica file<br> >>>> and re-install.<br> >>>> Continue to delete? [no]: yes<br> >>>> Deleting this server is not allowed as it would leave your installation without a CA<br> >>>><br> >>>> I seem that it’s the only node where CA is installed. What should I do now ?<br> >>> Add a replica with CA using ipa-ca-install on existing replica.<br> >>><br> >>> Read the guide, it has detailed coverage of these situations.<br> >>> --<br> >>> / Alexander Bokovoy<br> >><br> >> On the first node (which is working and without pki-tomcatd service)<br> >> # ipa-ca-install<br> >> Directory Manager (existing master) password:<br> >><br> >> CA is already installed.<br> >><br> >> How is it possible ?<br> >><br> >><br> > You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica.<br> ><br> > --<br> > Martin^3 Babinsky<br> <br> </div> </div> I’m still stuck with the correct command line :<br> [root@inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg<br> <span class="">Directory Manager (existing master) password:<br> <br> </span>Run connection check to master<br> Check connection from replica to remote master '<a href="http://inf-ipa-2.numeezy.fr" rel="noreferrer" target="_blank">inf-ipa-2.numeezy.fr</a>':<br> Directory Service: Unsecure port (389): OK<br> Directory Service: Secure port (636): OK<br> Kerberos KDC: TCP (88): OK<br> Kerberos Kpasswd: TCP (464): OK<br> HTTP Server: Unsecure port (80): OK<br> HTTP Server: Secure port (443): OK<br> <br> The following list of ports use UDP protocol and would need to be<br> checked manually:<br> Kerberos KDC: UDP (88): SKIPPED<br> Kerberos Kpasswd: UDP (464): SKIPPED<br> <br> Connection from replica to master is OK.<br> Start listening on required ports for remote master check<br> Get credentials to log in to remote master<br> <a href="mailto:admin@NUMEEZY.FR">admin@NUMEEZY.FR</a> password:<br> <br> Check SSH connection to remote master<br> Execute check on remote master<br> Check connection from master to remote replica '<a href="http://inf-ipa.numeezy.fr" rel="noreferrer" target="_blank">inf-ipa.numeezy.fr</a>':<br> Directory Service: Unsecure port (389): OK<br> Directory Service: Secure port (636): OK<br> Kerberos KDC: TCP (88): OK<br> Kerberos KDC: UDP (88): WARNING<br> Kerberos Kpasswd: TCP (464): OK<br> Kerberos Kpasswd: UDP (464): WARNING<br> HTTP Server: Unsecure port (80): OK<br> HTTP Server: Secure port (443): OK<br> The following UDP ports could not be verified as open: 88, 464<br> This can happen if they are already bound to an application<br> and ipa-replica-conncheck cannot attach own UDP responder.<br> <br> Connection from master to replica is OK.<br> <br> Connection check OK<br> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds<br> [1/21]: creating certificate server user<br> [2/21]: configuring certificate server instance<br> ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1<br> [error] RuntimeError: Configuration of CA failed<br> <br> Your system may be partly configured.<br> Run /usr/sbin/ipa-server-install --uninstall to clean up.<br> <br> Configuration of CA failed<br> <br> </blockquote> </div> <br> </div> </div> </div> </div> </body> </html>