[Freeipa-users] PKI-CA fails to start (broken config after update?)

Martin Kosek mkosek at redhat.com
Tue Sep 23 06:35:43 UTC 2014 

On 09/23/2014 03:59 AM, Ade Lee wrote:
> On Mon, 2014-09-22 at 13:39 -0600, swartz wrote:
>> On 9/22/2014 9:14 AM, Ade Lee wrote:
>>> Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? 
>>  >ls -l /etc/pki-ca/CS.cfg
>> -rw-r-----. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg
>>
> In very rare cases, I've seen cases where the CS.cfg becomes truncated
> during an update.  Unfortunately, we have not been able to reproduce the
> event.  In later versions of dogtag, we make sure to save the CS.cfg
> just in case.
> 
> Your instance sounds like a truncated CS.cfg instance, but the size is a
> lot larger than cases I've seen before, so I don't want to jump to that
> conclusion yet.

JFTR, FreeIPA may have been involved as well, we had a related fix in FreeIPA
4.0.2:
https://fedorahosted.org/freeipa/ticket/4166

> 
> If you scroll to the end of the CS.cfg, does it look like it has been
> truncated?
> 
> If you have backups of the CS.cfg, that will help.  Also, you could look
> for backups that we have created:
> 
> find /var/lib/pki-ca -name CS.cfg*
> find /var/log -name CS.cfg*
> 
> Also, do you have a replica CA?
> 
> Ade
> 
>> I know that I did NOT change the configs myself. But something certainly 
>> did during 'yum update'.
>> There are no .rpmsave or .rpmnew files that would typically be created 
>> if configs are properly marked in RPM spec file.
>>
>> There are two other files that exist though:
>> -rw-r-----. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
>> -rw-rw----. 1 pkiuser pkiuser 65955 Sep  5  2013 CS.cfg.in.p33
>>
>> However, they are not usable either in place of current CS.cfg.
>>
> The above files are templates only.  They are modified during instance
> configuration.
>>
>>>> There have been no updates recently on rhel 6 to the pki packages.
>>>> There has, however, been an update to tomcat - which broke dogtag
>>>> startups.
>>>>
>>>> What version of tomcat6 is on your system?
>>  >rpm -qa tomcat6
>> tomcat6-6.0.24-78.el6_5.noarch
>>
>>
> This tomcat version should still be a working one.  The tomcat6 then
> broke things has not made it out yet, having been discovered in QE
> testing.
> 
> 
>

More information about the Freeipa-users mailing list