[Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED
Endi Sukma Dewata
edewata at redhat.com
Thu Feb 26 02:56:02 UTC 2015
On 2/26/2015 8:02 AM, Les Stott wrote:
>>> rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger
>>> /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid
>>> /usr/share/pki /etc/ipa /var/log/ipa* reboot
>>>
>>> Now you have a clean slate.
>>
>> Do you know which step of the steps above actually helped you resolve the
>> reinstall issue?
>>
>
> The reboot I think was key to the whole process, but pki remnants seemed left behind too which caused grief. Previously I had never rebooted the system in between uninstall/reinstall.
>
> /etc/ipa/ca.crt was also left behind. It caused an issue during one reinstall as it never got updated and the install bombed out because it found a mismatched cert. This led me to deleting all possible ipa/pki directories and then removing/reinstalling rpms to restore to default state.
>
> I noticed that in some cases (I went through this same process on 6 servers to reinstall and setup CA replicas) I could still see a left over process running as the pkiuser (tomcat/java) which stopped the "userdel pkiuser" command from completing. I had to kill that process and then userdel pkiuser worked.
Some of the above files/folders should have been removed automatically
when the Dogtag instance/package is removed. There's already a ticket to
improve this on Dogtag 10:
https://fedorahosted.org/pki/ticket/1172
I created a new ticket for Dogtag 9:
https://fedorahosted.org/pki/ticket/1280
Thanks!
--
Endi S. Dewata
More information about the Freeipa-users
mailing list