Bret, What version is the Dogtag instance on that server? (rpm -q pki-ca)
We have seen cases when the CS.cfg has zero length - and have modified code to: 1) not write to CS.cfg on startup 2) backup the CS.cfg on upgrades. Under normal operations, unless you are configuring the Dogtag instance - which would not be happening during normal IPA operations, the CS.cfg should not be written to. Is there perhaps a backup of CS.cfg under /etc/pki/pki-tomcat/ca (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ? Ade On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote: > Martin, > > The only other systems I have running IPA are on another network. I > could take their CS.cfg file and try to modify it to fit what this one > should have had, but that's my only option. > > On the up side, this is a relatively small network, and reinstating the > users and hosts won't be an enormous task. Big, but not enormous. And I > should have had a backup, especially knowing there was a scheduled power > outage coming up. Because those are always problem-free.... ;-) > > > Bret > > On 01/27/2014 04:14 AM, Martin Kosek wrote: > > On 01/27/2014 01:51 AM, Bret Wortman wrote: > >> We had to reboot the IPA server on a standalone network recently, and this > >> IPA server is the only one on that network; there are no replicas. Upon > >> restarting, the IPA software refused to start because, after a couple > >> hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length. > >> > >> How can I most easily restore this file given that I doubt we have a > >> backup (our bad)? Is there a way to basically reinstall the server without > >> losing the data in the database? Our users and host definitions, anyway? > >> > >> Thanks! > >> > >> > >> Bret > > Hello Bret, > > > > Sorry to hear that. It looks like something (PKI?) was writing to the CS.cfg > > while the IPA server restarted. What version of IPA and PKI are we talking > > about? > > > > Do you have any other PKI server with CA you can use as a source of the > > CS.cfg > > file or as a replica to reinstall the IPA server with CA from (in the worst > > case)? > > > > I am adding PKI developers to the CC to advise. > > > > Martin > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users