On 09/23/2014 03:59 AM, Ade Lee wrote: > On Mon, 2014-09-22 at 13:39 -0600, swartz wrote: >> On 9/22/2014 9:14 AM, Ade Lee wrote: >>> Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? >> >ls -l /etc/pki-ca/CS.cfg >> -rw-r-----. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg >> > In very rare cases, I've seen cases where the CS.cfg becomes truncated > during an update. Unfortunately, we have not been able to reproduce the > event. In later versions of dogtag, we make sure to save the CS.cfg > just in case. > > Your instance sounds like a truncated CS.cfg instance, but the size is a > lot larger than cases I've seen before, so I don't want to jump to that > conclusion yet.
JFTR, FreeIPA may have been involved as well, we had a related fix in FreeIPA 4.0.2: https://fedorahosted.org/freeipa/ticket/4166 > > If you scroll to the end of the CS.cfg, does it look like it has been > truncated? > > If you have backups of the CS.cfg, that will help. Also, you could look > for backups that we have created: > > find /var/lib/pki-ca -name CS.cfg* > find /var/log -name CS.cfg* > > Also, do you have a replica CA? > > Ade > >> I know that I did NOT change the configs myself. But something certainly >> did during 'yum update'. >> There are no .rpmsave or .rpmnew files that would typically be created >> if configs are properly marked in RPM spec file. >> >> There are two other files that exist though: >> -rw-r-----. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21 >> -rw-rw----. 1 pkiuser pkiuser 65955 Sep 5 2013 CS.cfg.in.p33 >> >> However, they are not usable either in place of current CS.cfg. >> > The above files are templates only. They are modified during instance > configuration. >> >>>> There have been no updates recently on rhel 6 to the pki packages. >>>> There has, however, been an update to tomcat - which broke dogtag >>>> startups. >>>> >>>> What version of tomcat6 is on your system? >> >rpm -qa tomcat6 >> tomcat6-6.0.24-78.el6_5.noarch >> >> > This tomcat version should still be a working one. The tomcat6 then > broke things has not made it out yet, having been discovered in QE > testing. > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project