[Freeipa-users] FW: Problems and questions installing Identity Manager on RHEL V7

Fri Oct 3 14:55:56 UTC 2014

The steps recommended by Alexander did work for me, but should it happen again, is there anything that can
be gathered/submitted to help debug this ?

Al

-----Original Message-----
From: Alexander Bokovoy [mailto:abokovoy at redhat.com] 
Sent: Friday, October 03, 2014 12:30 AM
To: Endi Sukma Dewata
Cc: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support); freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7

On Thu, 02 Oct 2014, Endi Sukma Dewata wrote:
>On 10/1/2014 12:46 PM, Alexander Bokovoy wrote:
>>On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network
>>Support) wrote:
>
>>>I have tried to deinstall and reinstall the ipa server but the 
>>>installation is now failing.
>>>
>>>
>>>The ipa-server-install is failing with the following:
>>>
>>> [37/38]: tuning directory server
>>> [38/38]: configuring directory to start on boot Done configuring 
>>>directory server (dirsrv).
>>>Configuring certificate server (pki-tomcatd): Estimated time 3 
>>>minutes
>>>30 seconds
>>> [1/22]: creating certificate server user
>>> [2/22]: configuring certificate server instance
>>>ipa         : CRITICAL failed to configure ca instance Command
>>>'/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit 
>>>status 1 Configuration of CA failed
>>>
>>>This happens each time I try to uninstall and reinstall the ipa 
>>>server on RHEL V7.
>>>
>>>
>>>Looking at the latest log in /var/log/pki, I see this at the end of 
>>>the log:
>>>
>>>2014-10-01 11:53:10 pkispawn    : INFO     BEGIN spawning subsystem
>>>'CA' of instance 'pki-tomcat' . . .
>>>2014-10-01 11:53:10 pkispawn    : INFO     ... initializing
>>>'pki.deployment.initialization'
>>>2014-10-01 11:53:10 pkispawn    : ERROR    ....... PKI subsystem 'CA'
>>>for instance 'pki-tomcat' already exists!
>>>2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Type: SystemExit
>>>2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Message: 1
>>>2014-10-01 11:53:10 pkispawn    : DEBUG    .......   File
>>>"/usr/sbin/pkispawn", line 374, in main
>>>   rv = instance.spawn()
>>> File
>>>"/usr/lib/python2.7/site-packages/pki/deployment/initialization.py",
>>>line 56, in spawn
>>>   util.instance.verify_subsystem_does_not_exist()
>>> File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
>>>line 990, in verify_subsystem_does_not_exist
>>>   sys.exit(1)
>>>
>>>I am no python expert by any means and I'm not sure what this is 
>>>telling us so any help would be greatly appreciated.
>
>>This issue is known -- when CA install fails, we rollback but since CA 
>>isn't installed, we miss rolling it back. There is a ticket for 
>>eventually fixing this issue.
>
>Which ticket is this? The rollback was actually disabled to allow 
>troubleshooting the failed installation:
>https://fedorahosted.org/freeipa/ticket/3990
I think this ticket is unrelated -- its solution only affects ipa-client-install --on-master, not what ipa-server-install does when it rolls back configuration for dirsrv and other servers.

I can't find the exact ticket though.

>>Following sequence should clean up all the bits:
>>
>>pkidestroy -s CA -i pki-tomcat
>>rm -rf /var/log/pki/pki-tomcat
>>rm -rf /etc/sysconfig/pki-tomcat
>>rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>>rm -rf /var/lib/pki/pki-tomcat
>>rm -rf /etc/pki/pki-tomcat
>
>It's not official, but we call this step pki-nuke.
>
>>It also helps to reboot between multiple reinstalls on a single machine.
>
>Rather than rolling back the installation automatically (and delete all 
>files needed to troubleshoot the problem), it would be better to 
>provide an option to the uninstall command to forcibly remove all 
>installed files regardless whether the installation was successful or 
>not, just like the pki-nuke above.
We simply have no information about the fact what pkicreate did before it failed. 
--
/ Alexander Bokovoy