[Freeipa-users] Unable to add CA on an already configured replica
pgb205
pgb205 at yahoo.com
Fri Jul 22 18:17:37 UTC 2016
Current topology:
ipa-srv1<->ipa-srv2
ipa-srv1 already has CA installed but NOT ipa-srv2.
The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3
however I am unable to create gpg replication file on ipa-srv2 (to be used to establish replication agreement to ipa-srv3)as I get an error message: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)From what I've found gpg can only be created on replica with CA installed.
to install CA I tried the following commandipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg
This errors out at
[8/21]: starting certificate server instanceipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [9/21]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
systemctl status pki-tomcatd at pki-tomcat.service
shows the pki service is running, surprisingly.
but it's still not listed in ipactl status output
further attempts to install are halted with error : CA is already installed on this system and I have to manually delete everything with:
pkidestroy -s CA -i pki-tomcat 1003 rm -rf /var/log/pki/pki-tomcat 1004 rm -rf /etc/sysconfig/pki-tomcat 1005 rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat 1006 rm -rf /var/lib/pki/pki-tomcat 1007 rm -rf /etc/pki/pki-tomcat
in error logs the one message that stands out is:500 internal server error. which repeats multiple times at the end of log file.
Please suggest on what can be done in this situation.
PS: regarding pkidestroy and pkiremove commands. What is the difference or does pkidestroy superceeds pkiremove.Alexander B suggests pkiremove in one of his older posts and 'yum whatprovides pkiremove' also suggests that it should be available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160722/bc483abe/attachment.htm>
More information about the Freeipa-users
mailing list