[Freeipa-users] Trouble creating replica
Bret Wortman
bret.wortman at damascusgrp.com
Wed Feb 20 14:34:03 UTC 2013
I think this keeps coming back to the fact that ldap isn't listening on
7389 for some reason. When I try to *really* manually start pki-ca like
this, it complains about ldap before dying:
# sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp
-Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
:
:
Could not connect to LDAP server host oldmaster.my.com port 7389 Error
netscape.ldap.LDAPException: failed to connect to server ldap://
oldmaster.my.com:7389 (91)
[root at oldmaster]#
This bears out what I see in /var/log/pki-ca/catalina.out too.
*
*
*Bret Wortman*
<http://damascusgrp.com/>
http://damascusgrp.com/ <http://bretwortman.com/>
http://twitter.com/BretWortman
On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman
<bret.wortman at damascusgrp.com>wrote:
> On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce <simo at redhat.com> wrote:
>
>> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
>> > Digging further into my logs this morning, I've discovered that
>> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
>> > either. How can I tell why this isn't
>> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
>> > to, it's just the PKI piece that seems to be dead.
>> >
>> >
>> > Nothing in /etc/pki-ca has changed since last year, and the last
>> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
>> > Feb 5. I just can't tell what that change was....
>>
>> What error do you get if you try to start it ?
>>
>
> [root at oldmaster]# pkicontrol start ca PKI-IPA
> PKI-IPA is an invalid 'pki-ca' instance
> [root at oldmaster]#
>
> Is there another, preferred way to start it?
>
>
>
>> >
>> > Would a key change or certificate change have affected this?
>>
>> An expired CA cert might cause the server to stop, but then you would
>> see expired certs all over and also the main IPA instance would not
>> start.
>> >
>> > Worst case, if I do something like this:
>> >
>> >
>> > # ipa-server-install -U --uninstall
>> > # ipa-server-install
>> >
>> You will completely obliterate all your data.
>>
>> > will I lose the hosts, policies & users I already have configured?
>> > Does this stand a chance of getting me back up to where I can clone
>> > this box and get healthy again?
>> >
>> Healthy will be, but with no data, don't do it. (and I suggest you make
>> a full backup just in case)
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130220/680de937/attachment.htm>
More information about the Freeipa-users
mailing list