[Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

German Parente gparente at redhat.com
Tue Mar 1 08:18:34 UTC 2016 

Hi Fraser,

thanks for the workaround. As I have a customer who hit this bug, I have created BZ 1313207 to trace this issue in the case.

Regards,

German.

----- Original Message -----
> From: "Fraser Tweedale" <ftweedal at redhat.com>
> To: "Ian Pilcher" <arequipeno at gmail.com>, "Natxo Asenjo" <natxo.asenjo at gmail.com>
> Cc: freeipa-users at redhat.com
> Sent: Tuesday, March 1, 2016 6:34:01 AM
> Subject: Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?
> 
> On Mon, Feb 22, 2016 at 06:42:04PM +0100, Natxo Asenjo wrote:
> > On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher <arequipeno at gmail.com> wrote:
> > 
> > > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a
> > > traceback every time pki-cad starts:
> > >
> > > Traceback (most recent call last):
> > >   File "/usr/sbin/pki-server", line 89, in <module>
> > >     cli.execute(sys.argv)
> > >   File "/usr/sbin/pki-server", line 84, in execute
> > >     super(PKIServerCLI, self).execute(args)
> > >   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in
> > >   execute
> > >     module.execute(module_args)
> > >   File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line
> > > 103, in execute
> > >     scriptlet.execute()
> > >   File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py",
> > > line 50, in execute
> > >     cert = self.subsystem.get_system_cert('subsystem')
> > >   File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line
> > >   93,
> > > in get_system_cert
> > >     cert['request'] = base64.b64decode(self.config['%s.%s.certreq' %
> > > (self.prefix, tag)])
> > > KeyError: 'ca.subsystem.certreq'
> > > Starting pki-ca:                                           [  OK  ]
> > >
> > > As you can see, the daemon does still start successfully, and the
> > > traceback doesn't appear in any of the pki-cad logs.
> > >
> > >
> > yes, I see this too after the last round of updates. Curiously enough, just
> > on one of the kdcs, the other does not have this traceback.
> > 
> > Both are centos 6.7 fully patched, 32 bits.
> > 
> You can resolve the issue by stopping pki-cad, adding
> 'ca.subsystem.certreq=' (empty value) to CS.cfg, then restarting
> pki-cad.  AFAICT the absense of the certreq field will not cause any
> problems.
> 
> I'm still investigating what caused the 'ca.subsystem.certreq'
> config to disappear from CS.cfg in the first place.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list