And just in case this is informative: [root@oldmaster]# pkicontrol start ca PKI-IPA PKI-IPA is an invalid 'pki-ca' instance [root@oldmaster]#
* * *Bret Wortman* <http://damascusgrp.com/> http://damascusgrp.com/ <http://bretwortman.com/> http://twitter.com/BretWortman On Wed, Feb 20, 2013 at 8:08 AM, Bret Wortman <bret.wort...@damascusgrp.com>wrote: > Digging further into my logs this morning, I've discovered that there's no > new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I > tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting > updated and logged to, it's just the PKI piece that seems to be dead. > > Nothing in /etc/pki-ca has changed since last year, and the last updates > to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just > can't tell what that change was.... > > Would a key change or certificate change have affected this? > > Worst case, if I do something like this: > > # ipa-server-install -U --uninstall > # ipa-server-install > > will I lose the hosts, policies & users I already have configured? Does > this stand a chance of getting me back up to where I can clone this box and > get healthy again? > > > * > * > *Bret Wortman* > <http://damascusgrp.com/> > http://damascusgrp.com/ <http://bretwortman.com/> > http://twitter.com/BretWortman > > > On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman < > bret.wort...@damascusgrp.com> wrote: > >> No, can't telnet to 7389 or 9444 either one: >> >> [root@ipamaster]# telnet oldmaster.my.com 7389 >> Trying 10.0.0.42... >> telnet: connect to address 10.0.0.42: COnnection refused >> [root@ipamaster]# >> >> I do note that I only have packages called dogtag-*-theme installed: >> >> [root@oldmaster]# yum list "*dogtag*" >> Loaded plugins: lnagpacks, presto, refresh-packagekit >> Installed Packages >> dogtag-pki-ca-theme.noarch 9.0.11-1.fc17 >> @fedora >> dogtag-pki-common-theme.noarch 9.0.11-1.fc17 >> @fedora >> Available Packages >> dogtag-pki.noarch 9.0.0-13.fc17 >> @fedora >> : >> >> I also noticed that, according to /var/log/pki-ca/catalina.out and >> /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no, >> I'm not sure what happened on that day to change things, but I'm trying to >> find out. (At least, I assume this logdir relates to dogtag....) >> >> >> >> * >> * >> *Bret Wortman* >> <http://damascusgrp.com/> >> http://damascusgrp.com/ <http://bretwortman.com/> >> http://twitter.com/BretWortman >> >> >> On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden <rcrit...@redhat.com>wrote: >> >>> Natxo Asenjo wrote: >>> >>>> On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman >>>> <bret.wort...@damascusgrp.com >>>> <mailto:bret.wortman@**damascusgrp.com<bret.wort...@damascusgrp.com>>> >>>> wrote: >>>> >>>> Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out: >>>> >>>> : >>>> Could not connect to LDAP server host oldmaster.my.com >>>> <http://oldmaster.my.com> port 7389 Error >>>> >>>> netscape.ldap.LDAPException: failed to connect to server >>>> ldap://oldmaster.my.com:7389 <http://oldmaster.my.com:7389> (91) >>>> >>>> >>>> This certainly appears to be a problem, but everyone's >>>> authenticating against oldmaster just fine. Thoughts, anyone? >>>> >>>> >>>> can you connect to that port (7389) on oldmaster.my.com >>>> <http://oldmaster.my.com> from the other replica? (try telnetting to >>>> the >>>> port: telnet oldmaster.my.com <http://oldmaster.my.com> 7389) >>>> >>> >>> 7389 is port in the 389-ds instance used by dogtag. Is the instance >>> running on oldmaster? >>> >>> It isn't used for authentication which is why you aren't seeing problems >>> with clients. >>> >>> rob >>> >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> >> >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users