[Freeipa-users] Failed to start pki-tomcatd Service

Alexandre Ellert ellertalexandre at gmail.com
Tue Sep 15 12:09:45 UTC 2015 

So, here is the recap :
I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The
PKI was only installed on server two.
Everything was working fine, replication OK, new enrollements OK,
authentication with Kerberos and LDAP OK.
After some time, I discover that pki tomcatd service didn't restart
automatically after reboot on server two.

Now I want to repair things, but I can't deploy a new PKI and I can't
delete the existing broken PKI...

Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and
then ipa-restore ?

Please advice.


2015-09-07 13:36 GMT+02:00 Alexandre Ellert <ellertalexandre at gmail.com>:

>
> > Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabinsk at redhat.com> a écrit :
> >
> > On 08/28/2015 05:46 PM, Alexandre Ellert wrote:
> >>
> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <abokovoy at redhat.com> a
> écrit :
> >>>
> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:
> >>>>
> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <abokovoy at redhat.com> a
> écrit :
> >>>>>
> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:
> >>>>>>
> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <abokovoy at redhat.com>
> a écrit :
> >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy
> another
> >>>>>>>> replica ?
> >>>>>>> You may try that. Sorry for not responding, I have some other
> tasks that
> >>>>>>> occupy my time right now.
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Can you please tell me the procedure to decommission and re-create
> a new replica ?
> >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the
> only things to do ?
> >>>>> No, you need also to remove the server from the replication topology.
> >>>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
> >>>>>
> >>>>> --
> >>>>> / Alexander Bokovoy
> >>>>
> >>>> I can’t remove the node on which I have problem with pki-tomcatd :
> >>>>
> >>>> # ipa-replica-manage del xxxx.example.com
> >>>> Deleting a master is irreversible.
> >>>> To reconnect to the remote master you will need to prepare a new
> replica file
> >>>> and re-install.
> >>>> Continue to delete? [no]: yes
> >>>> Deleting this server is not allowed as it would leave your
> installation without a CA
> >>>>
> >>>> I seem that it’s the only node where CA is installed. What should I
> do now ?
> >>> Add a replica with CA using ipa-ca-install on existing replica.
> >>>
> >>> Read the guide, it has detailed coverage of these situations.
> >>> --
> >>> / Alexander Bokovoy
> >>
> >> On the first node (which is working and without pki-tomcatd service)
> >> # ipa-ca-install
> >> Directory Manager (existing master) password:
> >>
> >> CA is already installed.
> >>
> >> How is it possible ?
> >>
> >>
> > You must provide a replica file as an argument to ipa-ca-install if you
> want to setup CA on another replica.
> >
> > --
> > Martin^3 Babinsky
>
> I’m still stuck with the correct command line :
> [root at inf-ipa ~]# ipa-ca-install
> /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'inf-ipa-2.numeezy.fr':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>    Kerberos KDC: UDP (88): SKIPPED
>    Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at NUMEEZY.FR password:
>
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'inf-ipa.numeezy.fr':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos KDC: UDP (88): WARNING
>    Kerberos Kpasswd: TCP (464): OK
>    Kerberos Kpasswd: UDP (464): WARNING
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
> The following UDP ports could not be verified as open: 88, 464
> This can happen if they are already bound to an application
> and ipa-replica-conncheck cannot attach own UDP responder.
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
> seconds
>   [1/21]: creating certificate server user
>   [2/21]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero
> exit status 1
>   [error] RuntimeError: Configuration of CA failed
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150915/27c82e40/attachment.htm>

More information about the Freeipa-users mailing list