#3973 Reinstalling ipa server hangs when configuring certificate server
Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1018804

Description of problem:
Do an uninstall and re-install of ipa server and it looks like it's hanging on
the re-install at:
2013-10-11T17:06:47Z DEBUG   [8/22]: importing CA chain to RA certificate
database

Version-Release number of selected component (if applicable):
ipa-server-3.3.2-2.el7.x86_64.

How reproducible:
always

Steps to Reproduce:
1. Install ipa server
2. uninstall
3. reinstall

Actual results:
reinstall hangs

Expected results:
reinstall successfully

Additional info:
# ps -ef|grep ipa-server-install
root     12209  4969  0 15:51 pts/0    00:00:00 grep --color=auto
ipa-server-install
root     15046 18725  0 13:05 ?        00:00:03 /usr/bin/python -E
/usr/sbin/ipa-server-install --setup-dns --no-forwarder -p Secret123 -P
Secret123 -a Secret123 -r TESTRELM.COM -n testrelm.com
--ip-address=10.16.98.182 --hostname=ipaqa64vma.testrelm.com -U

# date
Fri Oct 11 15:54:54 EDT 2013


# tail /var/log/ipaserver-install.log
2013-10-11T17:06:46Z DEBUG The httpd proxy is not installed, skipping wait for
CA
2013-10-11T17:06:46Z DEBUG   duration: 4 seconds
2013-10-11T17:06:46Z DEBUG   [7/22]: creating RA agent certificate database
2013-10-11T17:06:46Z DEBUG Starting external process
2013-10-11T17:06:46Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f
XXXXXXXX -N
2013-10-11T17:06:47Z DEBUG Process finished, return code=0
2013-10-11T17:06:47Z DEBUG stdout=
2013-10-11T17:06:47Z DEBUG stderr=
2013-10-11T17:06:47Z DEBUG   duration: 0 seconds
2013-10-11T17:06:47Z DEBUG   [8/22]: importing CA chain to RA certificate
database

>From the previous ipaserver-uninstall.log, this was the only thing that stood
out:

Uninstalling CA from /var/lib/pki/pki-tomcat.

Uninstallation complete.

2013-10-11T17:04:24Z DEBUG stderr=pkidestroy  : WARNING  ....... this 'CA'
entry will NOT be deleted fr
om security domain 'IPA'!
pkidestroy  : WARNING  ....... security domain 'IPA' may be offline or
unreachable!
pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command
'/usr/bin/sslget -n 'subsystemCe
rt cert-pki-ca' -p '588648796016' -d '/etc/pki/pki-tomcat/alias' -e
'name="/var/lib/pki/pki-tomcat"&typ
e=CA&list=caList&host=ipaqa64vma.testrelm.com&sport=443&ncsport=8443&adminsport
=8443&agentsport=8443&op
eration=remove' -v -r '/ca/agent/ca/updateDomainXML'
ipaqa64vma.testrelm.com:443 2>&1' returned non-zer
o exit status 6!


# strace -p 15046
Process 15046 attached
recvfrom(5,

Patch freeipa-mkosek-431-installer-should-always-wait-until-ca-starts-up.patch sent for review

Critical issue in 3.3.x, autotriaging.

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata