[Freeipa-users] Failed to start pki-tomcatd Service

Steven Jones Steven.Jones at vuw.ac.nz
Tue Sep 15 21:00:56 UTC 2015 

Hi,


I am in a similar boat, well RHEL6.7 to RHEL7.1.  I joined a RHEL7.1 / IPA4.1 to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was ca-less.  Did a full backup on the RHEL7.1 / IPA 4.1.  Blew away the ipa server, installed fresh, pki-tomcat runs, did a restore and pki-tomcat doesnt run.


btw what does --data do?  I tried that before a full restore and no passwords worked ie i could not login and no users worked at all, so it seems pointless? or maybe rather what is it for? and when to use it?



regards

Steven

________________________________
From: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> on behalf of Alexandre Ellert <ellertalexandre at gmail.com>
Sent: Wednesday, 16 September 2015 12:09 a.m.
To: Martin Babinsky
Cc: freeipa-users at redhat.com; Alexander Bokovoy
Subject: Re: [Freeipa-users] Failed to start pki-tomcatd Service

So, here is the recap :
I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two.
Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK.
After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two.

Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI...

Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ?

Please advice.


2015-09-07 13:36 GMT+02:00 Alexandre Ellert <ellertalexandre at gmail.com<mailto:ellertalexandre at gmail.com>>:

> Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabinsk at redhat.com<mailto:mbabinsk at redhat.com>> a écrit :
>
> On 08/28/2015 05:46 PM, Alexandre Ellert wrote:
>>
>>> Le 28 août 2015 à 17:41, Alexander Bokovoy <abokovoy at redhat.com<mailto:abokovoy at redhat.com>> a écrit :
>>>
>>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:
>>>>
>>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <abokovoy at redhat.com<mailto:abokovoy at redhat.com>> a écrit :
>>>>>
>>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:
>>>>>>
>>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <abokovoy at redhat.com<mailto:abokovoy at redhat.com>> a écrit :
>>>>>>>> If the problem is too hard to solve, maybe I should try to deploy another
>>>>>>>> replica ?
>>>>>>> You may try that. Sorry for not responding, I have some other tasks that
>>>>>>> occupy my time right now.
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Can you please tell me the procedure to decommission and re-create a new replica ?
>>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only things to do ?
>>>>> No, you need also to remove the server from the replication topology.
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>
>>>> I can’t remove the node on which I have problem with pki-tomcatd :
>>>>
>>>> # ipa-replica-manage del xxxx.example.com<http://xxxx.example.com>
>>>> Deleting a master is irreversible.
>>>> To reconnect to the remote master you will need to prepare a new replica file
>>>> and re-install.
>>>> Continue to delete? [no]: yes
>>>> Deleting this server is not allowed as it would leave your installation without a CA
>>>>
>>>> I seem that it’s the only node where CA is installed. What should I do now ?
>>> Add a replica with CA using ipa-ca-install on existing replica.
>>>
>>> Read the guide, it has detailed coverage of these situations.
>>> --
>>> / Alexander Bokovoy
>>
>> On the first node (which is working and without pki-tomcatd service)
>> # ipa-ca-install
>> Directory Manager (existing master) password:
>>
>> CA is already installed.
>>
>> How is it possible ?
>>
>>
> You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica.
>
> --
> Martin^3 Babinsky

I’m still stuck with the correct command line :
[root at inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'inf-ipa-2.numeezy.fr<http://inf-ipa-2.numeezy.fr>':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at NUMEEZY.FR<mailto:admin at NUMEEZY.FR> password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'inf-ipa.numeezy.fr<http://inf-ipa.numeezy.fr>':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

Connection check OK
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1
  [error] RuntimeError: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150915/f292267c/attachment.htm>

More information about the Freeipa-users mailing list