If there is an issue with the CA certificate database that causes the audit to fail then the server should fail to start up. It currently starts but doesn't listen to its ports, so you can't use the fact that it started up as a success/failure indicator.
Hi, could you please provide info on what audit message it was when the CA failed to start? thanks.
I was installing using an external CA. I passed the CSR generated during the first step to my CA, signed it and issued it the same serial number as the CA (0). This caused one of the certs to not install due to NSS complaining about same serial #/subject, trust wasn't satisfied, and audit failed the selftest. This was a good thing IMHO, it showed how I screwed up my external signing script, but it took a while to get there because the CA was running and I missed the audit failure in the debug log.
This is really a case where the self tests fail but the server remains up in some kind of zombie state. We should kill the server dead, dead, dead.
I'm going to change the ticket description slightly.
Per discussions, targeted 10.2 Backlog
[PKI TRAC Ticket #947 - Startup should fail if self tests fail.] marked as duplicate of https://fedorahosted.org/pki/ticket/745 PKI TRAC Ticket #745 - Service should not start if selftest fails (per CS Meeting of 09/17/2014)
Metadata Update from @rcritten: - Issue set to the milestone: 10.2.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1513
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.