[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
Alexander Bokovoy
abokovoy at redhat.com
Fri Oct 3 07:30:09 UTC 2014
On Thu, 02 Oct 2014, Endi Sukma Dewata wrote:
>On 10/1/2014 12:46 PM, Alexander Bokovoy wrote:
>>On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network
>>Support) wrote:
>
>>>I have tried to deinstall and reinstall the ipa server but the
>>>installation is now failing.
>>>
>>>
>>>The ipa-server-install is failing with the following:
>>>
>>> [37/38]: tuning directory server
>>> [38/38]: configuring directory to start on boot
>>>Done configuring directory server (dirsrv).
>>>Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>30 seconds
>>> [1/22]: creating certificate server user
>>> [2/22]: configuring certificate server instance
>>>ipa : CRITICAL failed to configure ca instance Command
>>>'/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit
>>>status 1
>>>Configuration of CA failed
>>>
>>>This happens each time I try to uninstall and reinstall the ipa server
>>>on RHEL V7.
>>>
>>>
>>>Looking at the latest log in /var/log/pki, I see this at the end of
>>>the log:
>>>
>>>2014-10-01 11:53:10 pkispawn : INFO BEGIN spawning subsystem
>>>'CA' of instance 'pki-tomcat' . . .
>>>2014-10-01 11:53:10 pkispawn : INFO ... initializing
>>>'pki.deployment.initialization'
>>>2014-10-01 11:53:10 pkispawn : ERROR ....... PKI subsystem 'CA'
>>>for instance 'pki-tomcat' already exists!
>>>2014-10-01 11:53:10 pkispawn : DEBUG ....... Error Type: SystemExit
>>>2014-10-01 11:53:10 pkispawn : DEBUG ....... Error Message: 1
>>>2014-10-01 11:53:10 pkispawn : DEBUG ....... File
>>>"/usr/sbin/pkispawn", line 374, in main
>>> rv = instance.spawn()
>>> File
>>>"/usr/lib/python2.7/site-packages/pki/deployment/initialization.py",
>>>line 56, in spawn
>>> util.instance.verify_subsystem_does_not_exist()
>>> File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
>>>line 990, in verify_subsystem_does_not_exist
>>> sys.exit(1)
>>>
>>>I am no python expert by any means and I'm not sure what this is
>>>telling us so any help
>>>would be greatly appreciated.
>
>>This issue is known -- when CA install fails, we rollback but since CA
>>isn't installed, we miss rolling it back. There is a ticket for
>>eventually fixing this issue.
>
>Which ticket is this? The rollback was actually disabled to allow
>troubleshooting the failed installation:
>https://fedorahosted.org/freeipa/ticket/3990
I think this ticket is unrelated -- its solution only affects
ipa-client-install --on-master, not what ipa-server-install does when it
rolls back configuration for dirsrv and other servers.
I can't find the exact ticket though.
>>Following sequence should clean up all the bits:
>>
>>pkidestroy -s CA -i pki-tomcat
>>rm -rf /var/log/pki/pki-tomcat
>>rm -rf /etc/sysconfig/pki-tomcat
>>rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>>rm -rf /var/lib/pki/pki-tomcat
>>rm -rf /etc/pki/pki-tomcat
>
>It's not official, but we call this step pki-nuke.
>
>>It also helps to reboot between multiple reinstalls on a single machine.
>
>Rather than rolling back the installation automatically (and delete
>all files needed to troubleshoot the problem), it would be better to
>provide an option to the uninstall command to forcibly remove all
>installed files regardless whether the installation was successful or
>not, just like the pki-nuke above.
We simply have no information about the fact what pkicreate did before
it failed.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list