[Freeipa-users] PKI-CA fails to start (broken config after update?)
Martin Kosek
mkosek at redhat.com
Tue Sep 23 06:35:43 UTC 2014
On 09/23/2014 03:59 AM, Ade Lee wrote:
> On Mon, 2014-09-22 at 13:39 -0600, swartz wrote:
>> On 9/22/2014 9:14 AM, Ade Lee wrote:
>>> Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ?
>> >ls -l /etc/pki-ca/CS.cfg
>> -rw-r-----. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg
>>
> In very rare cases, I've seen cases where the CS.cfg becomes truncated
> during an update. Unfortunately, we have not been able to reproduce the
> event. In later versions of dogtag, we make sure to save the CS.cfg
> just in case.
>
> Your instance sounds like a truncated CS.cfg instance, but the size is a
> lot larger than cases I've seen before, so I don't want to jump to that
> conclusion yet.
JFTR, FreeIPA may have been involved as well, we had a related fix in FreeIPA
4.0.2:
https://fedorahosted.org/freeipa/ticket/4166
>
> If you scroll to the end of the CS.cfg, does it look like it has been
> truncated?
>
> If you have backups of the CS.cfg, that will help. Also, you could look
> for backups that we have created:
>
> find /var/lib/pki-ca -name CS.cfg*
> find /var/log -name CS.cfg*
>
> Also, do you have a replica CA?
>
> Ade
>
>> I know that I did NOT change the configs myself. But something certainly
>> did during 'yum update'.
>> There are no .rpmsave or .rpmnew files that would typically be created
>> if configs are properly marked in RPM spec file.
>>
>> There are two other files that exist though:
>> -rw-r-----. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
>> -rw-rw----. 1 pkiuser pkiuser 65955 Sep 5 2013 CS.cfg.in.p33
>>
>> However, they are not usable either in place of current CS.cfg.
>>
> The above files are templates only. They are modified during instance
> configuration.
>>
>>>> There have been no updates recently on rhel 6 to the pki packages.
>>>> There has, however, been an update to tomcat - which broke dogtag
>>>> startups.
>>>>
>>>> What version of tomcat6 is on your system?
>> >rpm -qa tomcat6
>> tomcat6-6.0.24-78.el6_5.noarch
>>
>>
> This tomcat version should still be a working one. The tomcat6 then
> broke things has not made it out yet, having been discovered in QE
> testing.
>
>
>
More information about the Freeipa-users
mailing list