[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 3 07:30:09 UTC 2014

On Thu, 02 Oct 2014, Endi Sukma Dewata wrote:
>On 10/1/2014 12:46 PM, Alexander Bokovoy wrote:
>>On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network
>>Support) wrote:
>>>I have tried to deinstall and reinstall the ipa server but the
>>>installation is now failing.
>>>The ipa-server-install is failing with the following:
>>> [37/38]: tuning directory server
>>> [38/38]: configuring directory to start on boot
>>>Done configuring directory server (dirsrv).
>>>Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>30 seconds
>>> [1/22]: creating certificate server user
>>> [2/22]: configuring certificate server instance
>>>ipa         : CRITICAL failed to configure ca instance Command
>>>'/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit
>>>status 1
>>>Configuration of CA failed
>>>This happens each time I try to uninstall and reinstall the ipa server
>>>on RHEL V7.
>>>Looking at the latest log in /var/log/pki, I see this at the end of
>>>the log:
>>>2014-10-01 11:53:10 pkispawn    : INFO     BEGIN spawning subsystem
>>>'CA' of instance 'pki-tomcat' . . .
>>>2014-10-01 11:53:10 pkispawn    : INFO     ... initializing
>>>2014-10-01 11:53:10 pkispawn    : ERROR    ....... PKI subsystem 'CA'
>>>for instance 'pki-tomcat' already exists!
>>>2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Type: SystemExit
>>>2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Message: 1
>>>2014-10-01 11:53:10 pkispawn    : DEBUG    .......   File
>>>"/usr/sbin/pkispawn", line 374, in main
>>>   rv = instance.spawn()
>>> File
>>>line 56, in spawn
>>>   util.instance.verify_subsystem_does_not_exist()
>>> File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
>>>line 990, in verify_subsystem_does_not_exist
>>>   sys.exit(1)
>>>I am no python expert by any means and I'm not sure what this is
>>>telling us so any help
>>>would be greatly appreciated.
>>This issue is known -- when CA install fails, we rollback but since CA
>>isn't installed, we miss rolling it back. There is a ticket for
>>eventually fixing this issue.
>Which ticket is this? The rollback was actually disabled to allow 
>troubleshooting the failed installation:
I think this ticket is unrelated -- its solution only affects
ipa-client-install --on-master, not what ipa-server-install does when it
rolls back configuration for dirsrv and other servers.

I can't find the exact ticket though.

>>Following sequence should clean up all the bits:
>>pkidestroy -s CA -i pki-tomcat
>>rm -rf /var/log/pki/pki-tomcat
>>rm -rf /etc/sysconfig/pki-tomcat
>>rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>>rm -rf /var/lib/pki/pki-tomcat
>>rm -rf /etc/pki/pki-tomcat
>It's not official, but we call this step pki-nuke.
>>It also helps to reboot between multiple reinstalls on a single machine.
>Rather than rolling back the installation automatically (and delete 
>all files needed to troubleshoot the problem), it would be better to 
>provide an option to the uninstall command to forcibly remove all 
>installed files regardless whether the installation was successful or 
>not, just like the pki-nuke above.
We simply have no information about the fact what pkicreate did before
it failed. 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list