Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

Wed, 24 Sep 2014 09:59:28 -0700 

On 9/23/2014 6:35 PM, swartz wrote:

On 9/22/2014 7:59 PM, Ade Lee wrote:

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?



I'd have to say no. It doesn't look truncated to me. At least there are
no obvious signs. But then again I don't know everything that is suppose
to be there. I know that the line starting  with
"pkicreate.unsecure_port=" isn't there, that's for sure. Hence why init
script fails to start PKI-CA.


Hi,


Ade and I looked at the file that you sent, and I sent you an updated 
CS.cfg based on my system (and you indicated that it's working now). I 
noticed that your original file contains the following line:


  cloning.ocsp_signing.dn=CN=OCSP Subsys

where it probably should have been something like this:

  cloning.ocsp_signing.dn=CN=OCSP Subsysstem,O=CS.MYDOMAIN.CA


Also, it's missing the next ~400 lines which seem to have been replaced 
with these lines:


  proxy.securePort=443
  proxy.unsecurePort=80


So we're suspecting that something was adding these proxy parameters 
directly to CS.cfg while the CA is saving configuration changes to 
CS.cfg too. Luckily your original CS.cfg still contains enough 
information to fully restore the file. I guess we need someone who's 
more familiar with the IPA & CA upgrade process to take a look at this 
more closely.



The CS.cfg is actually owned by the CA server, but sometimes people are 
advised to change the file directly, and maybe some codes are written 
that way too. There are some ways to avoid this kind of problems in the 
future:


1. Require CA to be shutdown before changing CS.cfg directly.

2. Prohibit direct access to the file and require the use of tools that 
send the changes to the CA server (e.g. via CLI/REST).
3. Break CS.cfg into user-owned and server-owned parameters, and move 
mostly-static parameters into a separate default file.

4. Replace CS.cfg with LDAP-based configuration.


In the short term we might be limited to #1, but in the long term we 
might be able to implement the other options.


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project






















					Reply via email to