[Freeipa-users] Unable to add CA on an already configured replica

pgb205 pgb205 at yahoo.com
Fri Jul 22 18:17:37 UTC 2016 

Current topology:
ipa-srv1<->ipa-srv2
ipa-srv1 already has CA installed but NOT ipa-srv2.
The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3
however I am unable to create gpg replication file on ipa-srv2 (to be used to establish replication agreement to ipa-srv3)as I get an error message: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)From what I've found gpg can only be created on replica with CA installed. 

to install CA I tried the following commandipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg
This errors out at 
  [8/21]: starting certificate server instanceipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details.  [9/21]: importing CA chain to RA certificate database  [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
systemctl status pki-tomcatd at pki-tomcat.service
shows the pki service is running, surprisingly.
but it's still not listed in ipactl status output

further attempts to install are halted with error : CA is already installed on this system and I have to manually delete everything with:
pkidestroy -s CA -i pki-tomcat 1003  rm -rf /var/log/pki/pki-tomcat 1004  rm -rf /etc/sysconfig/pki-tomcat 1005  rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat 1006  rm -rf /var/lib/pki/pki-tomcat 1007  rm -rf /etc/pki/pki-tomcat

in error logs the one message that stands out is:500 internal server error. which repeats multiple times at the end of log file.
Please suggest on what can be done in this situation.
PS: regarding pkidestroy and pkiremove commands. What is the difference or does pkidestroy superceeds pkiremove.Alexander B suggests pkiremove in one of his older posts and 'yum whatprovides pkiremove' also suggests that it should be available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160722/bc483abe/attachment.htm>

More information about the Freeipa-users mailing list