-Original Message-
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Les Stott
Sent: Saturday, 7 February 2015 9:39 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
workaround/solution
-Original Message-
From: Endi Sukma Dewata [mailto:edew...@redhat.com]
Sent: Saturday, 7 February 2015 1:53 AM
To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
Subject: Re: [Freeipa-users] bug in pki during install of CA replica
and workaround/solution
On 2/6/2015 8:39 AM, Martin Kosek wrote:
Reinstalling the pki-selinux rpm (found references in some other
forum
posts) via yum reinstall pki-selinux is not enough to help.
The solution is as follows:
yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
pki-java-tools pki-symkey pki-util pki-native-tools which takes
components back to 9.0.3-32 then yum -y update pki-selinux pki-ca
pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
pki-native-tools then (after cleaning up half installed pki
components) ipa-ca-install
/var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
Then, the CA replication completes successfully.
Regards,
Les
I saw this one around, e.g. in:
http://www.redhat.com/archives/freeipa-devel/2014-
May/msg00507.html
Did you try reinstalling pki-selinux before ipa-server-install?
Endi/Matthew, do we have a bug/fix for this?
Thanks,
Martin
Yes, we have a ticket for this:
https://fedorahosted.org/pki/ticket/1243
The default selinux-policy is version 3.7.19-231. It needs to be
updated to at least version 3.7.19-260.
--
Endi S. Dewata
I will test this out (update to 3.7.19-260) next week as I've got a few more
CA
replicas to setup.
I'm still having issues. Different one this time.
As I have previously worked around the install of CA replicas in my production
Production environment as above, I went to setup CA replication in DR (both
environments are completely separate).
Make sure I did a yum update for all packages, including selinux-policy, and
also making sure all needed modules were loaded in httpd.conf I proceeded to
retry installation of CA replication. However, it failed with the following:
Note: sb2sys01.domain.com is the replica I am trying to install
(abbreviated below)
#
Attempting to connect to: sb2sys01.domain.com:9445
Connected.
Posting Query =
https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT
RESPONSE HEADER: Connection: close
?xml version=1.0 encoding=UTF-8?
!-- BEGIN COPYRIGHT BLOCK
END COPYRIGHT BLOCK --
response
paneladmin/console/config/restorekeycertpanel.vm/panel
res/
updateStatusfailure/updateStatus
password/
errorStringThe pkcs12 file is not correct./errorString
size19/size
Error in RestoreKeyCertPanel(): updateStatus returns failure
ERROR: ConfigureCA: RestoreKeyCertPanel() failure
ERROR: unable to create CA
In /var/log/pki-ca/catalina.out I see...
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed and
skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a
working system).
grep DirAclAuthz /etc/pki-ca/CS.cfg
authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
authz.instance.DirAclAuthz.ldap=internaldb
authz.instance.DirAclAuthz.pluginName=DirAclAuthz
authz.instance.DirAclAuthz.ldap._000=##
authz.instance.DirAclAuthz.ldap._001=## Internal Database
authz.instance.DirAclAuthz.ldap._002=##
authz.instance.DirAclAuthz.ldap.basedn=
authz.instance.DirAclAuthz.ldap.maxConns=15
authz.instance.DirAclAuthz.ldap.minConns=3
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
authz.instance.DirAclAuthz.ldap.ldapconn.host=
authz.instance.DirAclAuthz.ldap.ldapconn.port=
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
The CA cert looks ok to me on the master. It does get copied to the replica in
/usr/share/ipa/html/ca.crt
I don't see any errors in httpd error or access logs on the master or the
intended replica.
The