<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 22.07.2016 20:17, pgb205 wrote:<br>
</div>
<blockquote
cite="mid:312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:16px">
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">Current
topology:<br>
ipa-srv1<->ipa-srv2</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">ipa-srv1
already has CA installed but <b
id="yui_3_16_0_ym19_1_1469210069216_2898">NOT </b>ipa-srv2.</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">The
reason I would like to add CA on ipa-srv2 is because I want
the setup to ultimately become </div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">ipa-srv2<->ipa-srv2<->ipa-srv3</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">however
I am unable to create gpg replication file on ipa-srv2 (to be
used to establish replication agreement to ipa-srv3)</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">as I
get an error message: <i
id="yui_3_16_0_ym19_1_1469210069216_2858">Certificate
operation cannot be completed: Unable to communicate with
CMS (Internal Server Error)</i></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_2845">From
what I've found gpg can only be created on replica with CA
installed. <br>
<br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_2845">to
install CA I tried the following command</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_2845"><i
id="yui_3_16_0_ym19_1_1469210069216_3020">ipa-ca-install
--skip-conncheck ./replica-info-ipa-srv2.gpg</i><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_2845">This
errors out at <br>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3014"><i
id="yui_3_16_0_ym19_1_1469210069216_3035"> [8/21]:
starting certificate server instance</i></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3015"><i
id="yui_3_16_0_ym19_1_1469210069216_3220">ipa.ipaserver.install.cainstance.CAInstance:
CRITICAL Failed to restart the Dogtag instance.See the
installation log for details.</i></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3016"><i
id="yui_3_16_0_ym19_1_1469210069216_3219"> [9/21]:
importing CA chain to RA certificate database</i></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3017"><i
id="yui_3_16_0_ym19_1_1469210069216_3033"> [error]
RuntimeError: Unable to retrieve CA chain: request failed
with HTTP status 500</i></div>
</div>
</div>
</blockquote>
<br>
<i>Hello,<br>
can you please check /var/log/pki/pki-tomcat/ca/debug for more
specific errors?<br>
<br>
Regards,<br>
Martin<br>
<br>
</i>
<blockquote
cite="mid:312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:16px">
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_2845">
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3017"><i
id="yui_3_16_0_ym19_1_1469210069216_3102"><br>
systemctl status <a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a><br>
</i></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3017">
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3069">shows
the pki service is running, surprisingly.</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3069"><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3069">but
it's still not listed in ipactl status output<br>
<br>
further attempts to install are halted with error : CA is
already installed on this system and I have to manually
delete everything with:<br>
pkidestroy -s CA -i pki-tomcat</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3070"> 1003
rm -rf /var/log/pki/pki-tomcat</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3071"> 1004
rm -rf /etc/sysconfig/pki-tomcat</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3072"> 1005
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3073"> 1006
rm -rf /var/lib/pki/pki-tomcat</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3074"> 1007
rm -rf /etc/pki/pki-tomcat</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3075"><br
id="yui_3_16_0_ym19_1_1469210069216_3076">
</div>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1469210069216_3018"><br
id="yui_3_16_0_ym19_1_1469210069216_3019">
</div>
</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">in
error logs the one message that stands out is:</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">500
internal server error. which repeats multiple times at the end
of log file.</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr"><br>
Please suggest on what can be done in this situation.</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">PS:
regarding pkidestroy and pkiremove commands. What is the
difference or does pkidestroy superceeds pkiremove.</div>
<div id="yui_3_16_0_ym19_1_1469210069216_2557" dir="ltr">Alexander
B suggests pkiremove in one of his older posts and 'yum
whatprovides pkiremove' also suggests that it should be
available.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>