[Freeipa-users] PKI-CA fails to start (broken config after update?)

Ade Lee alee at redhat.com
Mon Sep 22 15:14:29 UTC 2014 

On Mon, 2014-09-22 at 10:43 -0400, Ade Lee wrote:
> On Mon, 2014-09-22 at 10:50 +0200, Martin Kosek wrote:
> > On 09/20/2014 01:02 AM, swartz wrote:
> > > Hello,
> > > 
> > > Encountered same issue as described here:
> > > https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
> > > https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html
> > > 
> > > Plain vanilla IPA setup. No changes, no customizations.
> > > Recently IPA fails to start. Error happened right after a 'yum update' and reboot.
> > > 
> > > ---------------------------------------
> > > Starting pki-ca:                                           [  OK  ]
> > > Usage: grep [OPTION]... PATTERN [FILE]...
> > > Try `grep --help' for more information.
> > > Usage: grep [OPTION]... PATTERN [FILE]...
> > > Try `grep --help' for more information.
> > > Usage: grep [OPTION]... PATTERN [FILE]...
> > > Try `grep --help' for more information.
> > > ...
> > > Failed to start CA Service
> > > Shutting down
> > > ----------------------------------------
> > > 
> > > Digging into the matter further...
> > > The line that causes the error above is in /usr/share/pki/scripts/functions
> > > (which is loaded by pki-ca init script):
> > > netstat -antl | grep ${port} > /dev/null
> > > 
> > > The $port variable is blank so call to grep is without a search parameter.
> > > Hence invalid call to grep and subsequent error msg I'm seeing as above.
> > > 
> > > $port is defined just a few lines above as
> > > port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} | cut
> > > -b25- -`
> > > 
> > > BUT! For whatever reason there is no line that starts with
> > > "pkicreate.unsecure_port" in $pki_instance_configuration_file
> > > (/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use in grep.
> > > 
> > > Why there is no such line in config file where one is expected is unknown to me...
> > > 
> > > Versions currently installed
> > > ipa-server-3.0.0-37.el6.x86_64
> > > pki-ca-9.0.3-32.el6.noarch
> > > 
> > > Did updates to pki packages clobber the configs? What got broken? How do I
> > > resolve it?
> > > 
> 
Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ?

> There have been no updates recently on rhel 6 to the pki packages.
> There has, however, been an update to tomcat - which broke dogtag
> startups.
> 
> What version of tomcat6 is on your system?
> 
> > > Thank you.
> > 
> > Also please see another PKI crash on EL6 reported on freeipa-users:
> > 
> > https://www.redhat.com/archives/freeipa-users/2014-September/msg00331.html
> > 
> > This is not the first time this issue was reported, but we got no response from
> > PKI team, even though I CCed several members (maybe that was actually the root
> > case).
> > 
> > The PKI installation errors are piling up (7.1 too), I would like to resolve
> > that very soon so that we are not seen as too unstable software.
> > 
> The issues on 7.1 are tomcat related too.  Builds were completed last
> week to address these.
> 
> > Thanks for help,
> > Martin
>

More information about the Freeipa-users mailing list