> -----Original Message----- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Saturday, 7 February 2015 1:40 AM > To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > On 02/06/2015 06:59 AM, Les Stott wrote: > > Hi, > > > > I found a bug in the pki packages and CA replica installation. > > > > Environment: > > Rhel 6.6 > > IPA Server 3.0.0-42 > > Pki components: > > pki-symkey-9.0.3-38.el6_6.x86_64 > > pki-common-9.0.3-38.el6_6.noarch > > pki-setup-9.0.3-38.el6_6.noarch > > pki-selinux-9.0.3-38.el6_6.noarch > > pki-java-tools-9.0.3-38.el6_6.noarch > > pki-ca-9.0.3-38.el6_6.noarch > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > pki-native-tools-9.0.3-38.el6_6.x86_64 > > pki-util-9.0.3-38.el6_6.noarch > > pki-silent-9.0.3-38.el6_6.noarch > > Selinux: > > Permissive > > > > when running a CA replica installation it fails because pki-cad cannot start > due to selinux context issues. > > > > Samples from the ipareplica-ca-install.log... > > > > ========= > > 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK > ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: > > /usr/bin/runcon: invalid context: > unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument" > > > > 2015-02-05T08:20:04Z DEBUG duration: 6 seconds > > 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server > instance > > ############################################# > > Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in > > LoginPanel(): java.lang.NullPointerException > > ERROR: ConfigureCA: LoginPanel() failure > > ERROR: unable to create CA > > > > > ################################################################### > ### > > # > > > > 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send > > Request:java.net.ConnectException: Connection refused > > java.net.ConnectException: Connection refused > > > > ========== > > > > In short pki-cad fails to start and stops the installer. > > > > Reinstalling the pki-selinux rpm (found references in some other forum > posts) via yum reinstall pki-selinux is not enough to help. > > > > The solution is as follows: > > > > yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent > > pki-java-tools pki-symkey pki-util pki-native-tools which takes > > components back to 9.0.3-32 then yum -y update pki-selinux pki-ca > > pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util > > pki-native-tools then (after cleaning up half installed pki > > components) ipa-ca-install > > /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg > > > > Then, the CA replication completes successfully. > > > > Regards, > > > > Les > > I saw this one around, e.g. in: > > http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html > > Did you try reinstalling pki-selinux before ipa-server-install? >
Yes, tried this. But it was not enough. > Endi/Matthew, do we have a bug/fix for this? > > Thanks, > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project