[Freeipa-users] Unable to add CA on an already configured replica

Martin Basti mbasti at redhat.com
Mon Jul 25 08:16:17 UTC 2016 


On 22.07.2016 20:17, pgb205 wrote:
> Current topology:
> ipa-srv1<->ipa-srv2
>
> ipa-srv1 already has CA installed but *NOT *ipa-srv2.
>
> The reason I would like to add CA on ipa-srv2 is because I want the 
> setup to ultimately become
> ipa-srv2<->ipa-srv2<->ipa-srv3
>
> however I am unable to create gpg replication file on ipa-srv2 (to be 
> used to establish replication agreement to ipa-srv3)
> as I get an error message: /Certificate operation cannot be completed: 
> Unable to communicate with CMS (Internal Server Error)/
> From what I've found gpg can only be created on replica with CA 
> installed.
>
> to install CA I tried the following command
> /ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/
> This errors out at
> /  [8/21]: starting certificate server instance/
> /ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
> restart the Dogtag instance.See the installation log for details./
> /  [9/21]: importing CA chain to RA certificate database/
> /  [error] RuntimeError: Unable to retrieve CA chain: request failed 
> with HTTP status 500/

/Hello,
can you please check /var/log/pki/pki-tomcat/ca/debug for more specific 
errors?

Regards,
Martin

/
> /
> systemctl status pki-tomcatd at pki-tomcat.service
> /
> shows the pki service is running, surprisingly.
>
> but it's still not listed in ipactl status output
>
> further attempts to install are halted with error : CA is already 
> installed on this system and I have to manually delete everything with:
> pkidestroy -s CA -i pki-tomcat
>  1003  rm -rf /var/log/pki/pki-tomcat
>  1004  rm -rf /etc/sysconfig/pki-tomcat
>  1005  rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>  1006  rm -rf /var/lib/pki/pki-tomcat
>  1007  rm -rf /etc/pki/pki-tomcat
>
>
> in error logs the one message that stands out is:
> 500 internal server error. which repeats multiple times at the end of 
> log file.
>
> Please suggest on what can be done in this situation.
>
> PS: regarding pkidestroy and pkiremove commands. What is the 
> difference or does pkidestroy superceeds pkiremove.
> Alexander B suggests pkiremove in one of his older posts and 'yum 
> whatprovides pkiremove' also suggests that it should be available.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/fb6f6822/attachment.htm>

More information about the Freeipa-users mailing list