<div dir="ltr"><div><div><div>So, here is the recap : </div>I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two. Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK. </div>After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two. Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI... </div><div>Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ? </div><div>Please advice. </div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">2015-09-07 13:36 GMT+02:00 Alexandre Ellert <<a href="mailto:ellertalexandre@gmail.com" target="_blank">ellertalexandre@gmail.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"> > Le 4 sept. 2015 à 16:37, Martin Babinsky <<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a>> a écrit : > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: >> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> a écrit : >>> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>>> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> a écrit : >>>>> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> a écrit : >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy another >>>>>>>> replica ? >>>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>>> occupy my time right now. >>>>>>> >>>>>> >>>>>> >>>>>> Can you please tell me the procedure to decommission and re-create a new replica ? >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only things to do ? >>>>> No, you need also to remove the server from the replication topology. >>>>> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html</a> >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>> I can’t remove the node on which I have problem with pki-tomcatd : >>>> >>>> # ipa-replica-manage del <a href="http://xxxx.example.com" rel="noreferrer" target="_blank">xxxx.example.com</a> >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server is not allowed as it would leave your installation without a CA >>>> >>>> I seem that it’s the only node where CA is installed. What should I do now ? >>> Add a replica with CA using ipa-ca-install on existing replica. >>> >>> Read the guide, it has detailed coverage of these situations. >>> -- >>> / Alexander Bokovoy >> >> On the first node (which is working and without pki-tomcatd service) >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> CA is already installed. >> >> How is it possible ? >> >> > You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica. > > -- > Martin^3 Babinsky </div></div>I’m still stuck with the correct command line : [root@inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master '<a href="http://inf-ipa-2.numeezy.fr" rel="noreferrer" target="_blank">inf-ipa-2.numeezy.fr</a>': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master <a href="mailto:admin@NUMEEZY.FR">admin@NUMEEZY.FR</a> password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica '<a href="http://inf-ipa.numeezy.fr" rel="noreferrer" target="_blank">inf-ipa.numeezy.fr</a>': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed </blockquote></div> </div>