[Freeipa-users] CS.cfg empty

Bret Wortman bret.wortman at damascusgrp.com
Mon Jan 27 19:00:46 UTC 2014 

# rpm -q pki-ca
pki-ca-10.0.6-1.fc18.noarch

There were versions found under two other locations (it may have been 
these -- we had to nuke the box and start over, so the filesystem isn't 
in the same state it was when this began). I tried starting the service 
with each of them but neither worked.

We've built a new server and will be replicating this one so that this 
doesn't happen again. We hope....


Bret

On 01/27/2014 11:31 AM, Ade Lee wrote:
> Bret,
>
> What version is the Dogtag instance on that server? (rpm -q pki-ca)
>
> We have seen cases when the CS.cfg has zero length - and have modified
> code to:
> 1) not write to CS.cfg on startup
> 2) backup the CS.cfg on upgrades.
>
> Under normal operations, unless you are configuring the Dogtag instance
> - which would not be happening during normal IPA operations, the CS.cfg
> should not be written to.
>
> Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca
> (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ?
>
> Ade
>
> On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote:
>> Martin,
>>
>> The only other systems I have running IPA are on another network. I
>> could take their CS.cfg file and try to modify it to fit what this one
>> should have had, but that's my only option.
>>
>> On the up side, this is a relatively small network, and reinstating the
>> users and hosts won't be an enormous task. Big, but not enormous. And I
>> should have had a backup, especially knowing there was a scheduled power
>> outage coming up. Because those are always problem-free....  ;-)
>>
>>
>> Bret
>>
>> On 01/27/2014 04:14 AM, Martin Kosek wrote:
>>> On 01/27/2014 01:51 AM, Bret Wortman wrote:
>>>> We had to reboot the IPA server on a standalone network recently, and this IPA server is the only one on that network; there are no replicas. Upon restarting, the IPA software refused to start because, after a couple hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length.
>>>>
>>>> How can I most easily restore this file given that I doubt we have a backup (our bad)? Is there a way to basically reinstall the server without losing the data in the database? Our users and host definitions, anyway?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> Bret
>>> Hello Bret,
>>>
>>> Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg
>>> while the IPA server restarted. What version of IPA and PKI are we talking about?
>>>
>>> Do you have any other PKI server with CA you can use as a source of the CS.cfg
>>> file or as a replica to reinstall the IPA server with CA from (in the worst case)?
>>>
>>> I am adding PKI developers to the CC to advise.
>>>
>>> Martin
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140127/b7855450/attachment.p7s>

More information about the Freeipa-users mailing list