[Freeipa-users] Unable to add CA on an already configured replica

Rob Crittenden rcritten at redhat.com
Mon Jul 25 20:29:37 UTC 2016 

pgb205 wrote:
> Current topology:
> ipa-srv1<->ipa-srv2
>
> ipa-srv1 already has CA installed but *NOT *ipa-srv2.
>
> The reason I would like to add CA on ipa-srv2 is because I want the
> setup to ultimately become
> ipa-srv2<->ipa-srv2<->ipa-srv3
>
> however I am unable to create gpg replication file on ipa-srv2 (to be
> used to establish replication agreement to ipa-srv3)
> as I get an error message: /Certificate operation cannot be completed:
> Unable to communicate with CMS (Internal Server Error)/
>  From what I've found gpg can only be created on replica with CA installed.
>
> to install CA I tried the following command
> /ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/
> This errors out at
> /  [8/21]: starting certificate server instance/
> /ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details./
> /  [9/21]: importing CA chain to RA certificate database/
> /  [error] RuntimeError: Unable to retrieve CA chain: request failed
> with HTTP status 500/
> /
> systemctl status pki-tomcatd at pki-tomcat.service
> /
> shows the pki service is running, surprisingly.
>
> but it's still not listed in ipactl status output
>
> further attempts to install are halted with error : CA is already
> installed on this system and I have to manually delete everything with:
> pkidestroy -s CA -i pki-tomcat
>   1003  rm -rf /var/log/pki/pki-tomcat
>   1004  rm -rf /etc/sysconfig/pki-tomcat
>   1005  rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>   1006  rm -rf /var/lib/pki/pki-tomcat
>   1007  rm -rf /etc/pki/pki-tomcat
>
>
> in error logs the one message that stands out is:
> 500 internal server error. which repeats multiple times at the end of
> log file.

Which log file? You probably want to look at the CA debug log. I'm 
assuming the error is originating in dogtag.

> Please suggest on what can be done in this situation.
>
> PS: regarding pkidestroy and pkiremove commands. What is the difference
> or does pkidestroy superceeds pkiremove.
> Alexander B suggests pkiremove in one of his older posts and 'yum
> whatprovides pkiremove' also suggests that it should be available.

Right, pkidestroy replaced pkiremove.

There is no uninstaller for the CA currently. I had started one long ago 
and never finished it. Feel free to open an RFE on it.

Note that it is trickier than just removing files. Depending on where it 
blows up you may need to remove replication agreements too (and entries 
from cn=masters).

rob

More information about the Freeipa-users mailing list