[Freeipa-users] PKI-CA fails to start (broken config after update?)

[Ade Lee]

On Mon, 2014-09-22 at 13:39 -0600, swartz wrote:
> On 9/22/2014 9:14 AM, Ade Lee wrote:
> > Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? 
>  >ls -l /etc/pki-ca/CS.cfg
> -rw-r-----. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg
> 
In very rare cases, I've seen cases where the CS.cfg becomes truncated
during an update.  Unfortunately, we have not been able to reproduce the
event.  In later versions of dogtag, we make sure to save the CS.cfg
just in case.

Your instance sounds like a truncated CS.cfg instance, but the size is a
lot larger than cases I've seen before, so I don't want to jump to that
conclusion yet.

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?

If you have backups of the CS.cfg, that will help.  Also, you could look
for backups that we have created:

find /var/lib/pki-ca -name CS.cfg*
find /var/log -name CS.cfg*

Also, do you have a replica CA?

Ade

> I know that I did NOT change the configs myself. But something certainly 
> did during 'yum update'.
> There are no .rpmsave or .rpmnew files that would typically be created 
> if configs are properly marked in RPM spec file.
> 
> There are two other files that exist though:
> -rw-r-----. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
> -rw-rw----. 1 pkiuser pkiuser 65955 Sep  5  2013 CS.cfg.in.p33
> 
> However, they are not usable either in place of current CS.cfg.
> 
The above files are templates only.  They are modified during instance
configuration.
> 
> >> There have been no updates recently on rhel 6 to the pki packages.
> >> There has, however, been an update to tomcat - which broke dogtag
> >> startups.
> >>
> >> What version of tomcat6 is on your system?
>  >rpm -qa tomcat6
> tomcat6-6.0.24-78.el6_5.noarch
> 
> 
This tomcat version should still be a working one.  The tomcat6 then
broke things has not made it out yet, having been discovered in QE
testing.