[Freeipa-users] PKI-CA fails to start (broken config after update?)

Martin Kosek mkosek at redhat.com
Mon Sep 22 08:50:56 UTC 2014 

On 09/20/2014 01:02 AM, swartz wrote:
> Hello,
> 
> Encountered same issue as described here:
> https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
> https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
> 
> Plain vanilla IPA setup. No changes, no customizations.
> Recently IPA fails to start. Error happened right after a 'yum update' and reboot.
> 
> ---------------------------------------
> Starting pki-ca:                                           [  OK  ]
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> ...
> Failed to start CA Service
> Shutting down
> ----------------------------------------
> 
> Digging into the matter further...
> The line that causes the error above is in /usr/share/pki/scripts/functions
> (which is loaded by pki-ca init script):
> netstat -antl | grep ${port} > /dev/null
> 
> The $port variable is blank so call to grep is without a search parameter.
> Hence invalid call to grep and subsequent error msg I'm seeing as above.
> 
> $port is defined just a few lines above as
> port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} | cut
> -b25- -`
> 
> BUT! For whatever reason there is no line that starts with
> "pkicreate.unsecure_port" in $pki_instance_configuration_file
> (/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use in grep.
> 
> Why there is no such line in config file where one is expected is unknown to me...
> 
> Versions currently installed
> ipa-server-3.0.0-37.el6.x86_64
> pki-ca-9.0.3-32.el6.noarch
> 
> Did updates to pki packages clobber the configs? What got broken? How do I
> resolve it?
> 
> Thank you.

Also please see another PKI crash on EL6 reported on freeipa-users:

https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html

This is not the first time this issue was reported, but we got no response from
PKI team, even though I CCed several members (maybe that was actually the root
case).

The PKI installation errors are piling up (7.1 too), I would like to resolve
that very soon so that we are not seen as too unstable software.

Thanks for help,
Martin

More information about the Freeipa-users mailing list