Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1408965
Description of problem: imho, we need a better handling of ipa-ca-install. If for any reason it fails like in this case: ==================================== Installing CA into /var/lib/pki/pki-tomcat. Installation failed: PKI subsystem 'CA' for instance 'pki-tomcat' does NOT exist! ipa : DEBUG stderr=pkispawn : ERROR ....... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp1OOvuJ' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat ==================================== I don't have the possibility of doing a "ipa-ca-install --uninstall" Instead, the proposal is to delete the full replica to cleanup: ===================================== Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ===================================== At master side, we can see: ====================== ipa-csreplica-manage list Directory Manager password: ipareplica.gparente.local: CA not configured ipaserver.gparente.local: master ======================= If, at replica side, I want to re-install CA, I will find these issues: ======================== ipa : DEBUG The ipa-ca-install command failed, exception: DuplicateEntry: This entry already exists ======================== Because of: [28/Dec/2016:09:46:38.078814164 -0500] conn=39 op=2 ADD dn="cn=o\3Dipaca,cn=mapping tree,cn=config" [28/Dec/2016:09:46:38.079158862 -0500] conn=39 op=2 RESULT err=68 tag=105 nentries=0 etime=0 I can delete ipaca backend completely so as to have no traces and let installer go on, but if it fails by another reason, it's impossible to go on or repair either than deleting + uninstalling the full replica. IMHO, either we do a ipa-ca-install that performs the exact same steps each time and knows how to skip already performed actions (ipa-dns-install like) or we provide a ipa-ca-install --uninstall command. Version-Release number of selected component (if applicable): rpm -q ipa-server ipa-server-4.4.0-14.el7_3.x86_64
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: Future Releases
It's unclear what the ask here is. Is it:
Metadata Update from @rcritten: - Issue close_status updated to: None
Log in to comment on this ticket.