[Freeipa-users] Failed to start pki-tomcatd Service

Alexandre Ellert ellertalexandre at gmail.com
Mon Sep 7 11:36:09 UTC 2015 

> Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabinsk at redhat.com> a écrit :
> 
> On 08/28/2015 05:46 PM, Alexandre Ellert wrote:
>> 
>>> Le 28 août 2015 à 17:41, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>> 
>>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:
>>>> 
>>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>>>> 
>>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:
>>>>>> 
>>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>>>>>>> If the problem is too hard to solve, maybe I should try to deploy another
>>>>>>>> replica ?
>>>>>>> You may try that. Sorry for not responding, I have some other tasks that
>>>>>>> occupy my time right now.
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Can you please tell me the procedure to decommission and re-create a new replica ?
>>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only things to do ?
>>>>> No, you need also to remove the server from the replication topology.
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
>>>>> 
>>>>> --
>>>>> / Alexander Bokovoy
>>>> 
>>>> I can’t remove the node on which I have problem with pki-tomcatd :
>>>> 
>>>> # ipa-replica-manage del xxxx.example.com
>>>> Deleting a master is irreversible.
>>>> To reconnect to the remote master you will need to prepare a new replica file
>>>> and re-install.
>>>> Continue to delete? [no]: yes
>>>> Deleting this server is not allowed as it would leave your installation without a CA
>>>> 
>>>> I seem that it’s the only node where CA is installed. What should I do now ?
>>> Add a replica with CA using ipa-ca-install on existing replica.
>>> 
>>> Read the guide, it has detailed coverage of these situations.
>>> --
>>> / Alexander Bokovoy
>> 
>> On the first node (which is working and without pki-tomcatd service)
>> # ipa-ca-install
>> Directory Manager (existing master) password:
>> 
>> CA is already installed.
>> 
>> How is it possible ?
>> 
>> 
> You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica.
> 
> -- 
> Martin^3 Babinsky

I’m still stuck with the correct command line :
[root at inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'inf-ipa-2.numeezy.fr':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at NUMEEZY.FR password: 

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'inf-ipa.numeezy.fr':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

Connection check OK
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1
  [error] RuntimeError: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

More information about the Freeipa-users mailing list