[Freeipa-users] Error creating new freeipa-server

[Rob Crittenden]

Bret Wortman wrote:
>
> On 04/28/2014 10:48 AM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>>
>>> On 04/28/2014 10:21 AM, Bret Wortman wrote:
>>>>
>>>> On 04/28/2014 08:33 AM, Petr Viktorin wrote:
>>>>>
>>>>> According to the error you're getting, there is a CA instance already
>>>>> installed.
>>>>> After uninstalling IPA, destroy it with:
>>>>>     pkidestroy -s CA -i pki-tomcat
>>>>>
>>>>>
>>>> I tried, this, but no joy.
>>>>
>>>> # pkidestroy -s CA -i pki-tomcat
>>>> Loading deployment configuration from /var/lib/pki/pki-tomcat
>>>> /ca/registry/ca/deployment.cfg.
>>>> Uninstalling CA from /var/lib/pki/pki-tomcat.
>>>> pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from
>>>> security domain 'unknown'!
>>>> pkidestroy : ERROR   ....... No security domain defined.
>>>> If this is an unconfigured instance, then that is OK.
>>>> Otherwise, manually delete the entry from the security domain master.
>>>>
>>>> Uninstallation complete.
>>>> #
>>>>
>>>> And then when I tried to run ipa-server-install, I got the same error
>>>> again. I may just wipe the box and start over. It might take less time
>>>> overall.
>>>>
>>>>
>>>> Bret
>>>>
>>> This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also
>>> dogtag-10.1.1-1).
>>
>> From the ipa-server installation output the error looks the same, but
>> the underlying error should be different when there isn't already a
>> PKI instance.
>>
>> If the PKI installer fails early enough we don't record that it was
>> installed which is why ipa-server-install --uninstall doesn't remove
>> it. We have a ticket open for this.
>>
>> rob
>>
> So is there a recommended way to clean it up and get it working?

Re-run pkidestroy, then if the subsequent IPA install fails closely 
examine the logs to determine the reason. The problem in cases like this 
is that the first install fails and subsequent installs mask the 
original failure with this PKI re-install failure.

rob