[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
abokovoy at redhat.com
Fri Oct 3 07:30:09 UTC 2014
On Thu, 02 Oct 2014, Endi Sukma Dewata wrote:
>On 10/1/2014 12:46 PM, Alexander Bokovoy wrote:
>>On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network
>>>I have tried to deinstall and reinstall the ipa server but the
>>>installation is now failing.
>>>The ipa-server-install is failing with the following:
>>> [37/38]: tuning directory server
>>> [38/38]: configuring directory to start on boot
>>>Done configuring directory server (dirsrv).
>>>Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>> [1/22]: creating certificate server user
>>> [2/22]: configuring certificate server instance
>>>ipa : CRITICAL failed to configure ca instance Command
>>>'/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit
>>>Configuration of CA failed
>>>This happens each time I try to uninstall and reinstall the ipa server
>>>on RHEL V7.
>>>Looking at the latest log in /var/log/pki, I see this at the end of
>>>2014-10-01 11:53:10 pkispawn : INFO BEGIN spawning subsystem
>>>'CA' of instance 'pki-tomcat' . . .
>>>2014-10-01 11:53:10 pkispawn : INFO ... initializing
>>>2014-10-01 11:53:10 pkispawn : ERROR ....... PKI subsystem 'CA'
>>>for instance 'pki-tomcat' already exists!
>>>2014-10-01 11:53:10 pkispawn : DEBUG ....... Error Type: SystemExit
>>>2014-10-01 11:53:10 pkispawn : DEBUG ....... Error Message: 1
>>>2014-10-01 11:53:10 pkispawn : DEBUG ....... File
>>>"/usr/sbin/pkispawn", line 374, in main
>>> rv = instance.spawn()
>>>line 56, in spawn
>>> File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
>>>line 990, in verify_subsystem_does_not_exist
>>>I am no python expert by any means and I'm not sure what this is
>>>telling us so any help
>>>would be greatly appreciated.
>>This issue is known -- when CA install fails, we rollback but since CA
>>isn't installed, we miss rolling it back. There is a ticket for
>>eventually fixing this issue.
>Which ticket is this? The rollback was actually disabled to allow
>troubleshooting the failed installation:
I think this ticket is unrelated -- its solution only affects
ipa-client-install --on-master, not what ipa-server-install does when it
rolls back configuration for dirsrv and other servers.
I can't find the exact ticket though.
>>Following sequence should clean up all the bits:
>>pkidestroy -s CA -i pki-tomcat
>>rm -rf /var/log/pki/pki-tomcat
>>rm -rf /etc/sysconfig/pki-tomcat
>>rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>>rm -rf /var/lib/pki/pki-tomcat
>>rm -rf /etc/pki/pki-tomcat
>It's not official, but we call this step pki-nuke.
>>It also helps to reboot between multiple reinstalls on a single machine.
>Rather than rolling back the installation automatically (and delete
>all files needed to troubleshoot the problem), it would be better to
>provide an option to the uninstall command to forcibly remove all
>installed files regardless whether the installation was successful or
>not, just like the pki-nuke above.
We simply have no information about the fact what pkicreate did before
/ Alexander Bokovoy
More information about the Freeipa-users