Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED
Have resolved the issues below by completely removing FreeIPA and starting from scratch. Here is the procedure to completely remove FreeIPA so you can start again. ipa-server-install --uninstall certutil -d /etc/httpd/alias -D -n Server-Cert certutil -d /etc/httpd/alias -D -n MYDOMAIN.COM IPA CA certutil -d /etc/httpd/alias -D -n ipaCert certutil -d /etc/httpd/alias -D -n Signing-Cert yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs userdel pkisrv userdel pkiuser rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki /etc/ipa /var/log/ipa* reboot Now you have a clean slate. Then install works as normal for IPA Server, Replica and CA Replica installations. Hope this saves someone else time in the future. Regards, Les -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 18 February 2015 6:27 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution Has anyone got any ideas on the below errors I am now receiving? Thanks in advance, Les I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. I'm still having issues. Different one this time. As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate). Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following: Note: sb2sys01.domain.com is the replica I am trying to install (abbreviated below) # Attempting to connect to: sb2sys01.domain.com:9445 Connected. Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7; op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not correct./errorString size19/size Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA In /var/log/pki-ca/catalina.out I see... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed certificate|and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system). grep DirAclAuthz /etc/pki-ca/CS.cfg authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth z authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn= authz.instance.DirAclAuthz.ldap.maxConns=15 authz.instance.DirAclAuthz.ldap.minConns=3 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= authz.instance.DirAclAuthz.ldap.ldapconn.host= authz.instance.DirAclAuthz.ldap.ldapconn.port= authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false The CA cert looks ok to me on the master. It does get copied to the replica in /usr/share/ipa/html/ca.crt I don't see any errors in httpd error or access logs on the master or the intended replica. The ipa-pki-proxy.conf config has the profilesubmit section. # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
Has anyone got any ideas on the below errors I am now receiving? Thanks in advance, Les I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. I'm still having issues. Different one this time. As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate). Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following: Note: sb2sys01.domain.com is the replica I am trying to install (abbreviated below) # Attempting to connect to: sb2sys01.domain.com:9445 Connected. Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7; op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not correct./errorString size19/size Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA In /var/log/pki-ca/catalina.out I see... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system). grep DirAclAuthz /etc/pki-ca/CS.cfg authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn= authz.instance.DirAclAuthz.ldap.maxConns=15 authz.instance.DirAclAuthz.ldap.minConns=3 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= authz.instance.DirAclAuthz.ldap.ldapconn.host= authz.instance.DirAclAuthz.ldap.ldapconn.port= authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false The CA cert looks ok to me on the master. It does get copied to the replica in /usr/share/ipa/html/ca.crt I don't see any errors in httpd error or access logs on the master or the intended replica. The ipa-pki-proxy.conf config has the profilesubmit section. # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit I can confirm that pki-cad does start (but is unconfigured) and that it does listen on port 9445. # netstat -apn |grep 9445 tcp0 0 :::9445 :::* LISTEN 31264/java # service pki-cad status pki-ca (pid 31264) is running... [ OK ] 'pki-ca' must still be CONFIGURED! (see /var/log/pki-ca-install.log) I am not sure what to try next. Appreciate any help to get over this error. Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Saturday, 7 February 2015 9:39 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution -Original Message- From: Endi Sukma Dewata [mailto:edew...@redhat.com] Sent: Saturday, 7 February 2015 1:53 AM To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution On 2/6/2015 8:39 AM, Martin Kosek wrote: Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014- May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin Yes, we have a ticket for this: https://fedorahosted.org/pki/ticket/1243 The default selinux-policy is version 3.7.19-231. It needs to be updated to at least version 3.7.19-260. -- Endi S. Dewata I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. I'm still having issues. Different one this time. As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate). Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following: Note: sb2sys01.domain.com is the replica I am trying to install (abbreviated below) # Attempting to connect to: sb2sys01.domain.com:9445 Connected. Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not correct./errorString size19/size Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA In /var/log/pki-ca/catalina.out I see... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system). grep DirAclAuthz /etc/pki-ca/CS.cfg authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn= authz.instance.DirAclAuthz.ldap.maxConns=15 authz.instance.DirAclAuthz.ldap.minConns=3 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= authz.instance.DirAclAuthz.ldap.ldapconn.host= authz.instance.DirAclAuthz.ldap.ldapconn.port= authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false The CA cert looks ok to me on the master. It does get copied to the replica in /usr/share/ipa/html/ca.crt I don't see any errors in httpd error or access logs on the master or the intended replica. The
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Saturday, 7 February 2015 1:40 AM To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution On 02/06/2015 06:59 AM, Les Stott wrote: Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-ca-9.0.3-38.el6_6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-util-9.0.3-38.el6_6.noarch pki-silent-9.0.3-38.el6_6.noarch Selinux: Permissive when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues. Samples from the ipareplica-ca-install.log... = 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca: /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument 2015-02-05T08:20:04Z DEBUG duration: 6 seconds 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance # Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### ### # 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused == In short pki-cad fails to start and stops the installer. Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Yes, tried this. But it was not enough. Endi/Matthew, do we have a bug/fix for this? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
-Original Message- From: Endi Sukma Dewata [mailto:edew...@redhat.com] Sent: Saturday, 7 February 2015 1:53 AM To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution On 2/6/2015 8:39 AM, Martin Kosek wrote: Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014- May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin Yes, we have a ticket for this: https://fedorahosted.org/pki/ticket/1243 The default selinux-policy is version 3.7.19-231. It needs to be updated to at least version 3.7.19-260. -- Endi S. Dewata I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
On 2/6/2015 8:39 AM, Martin Kosek wrote: Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin Yes, we have a ticket for this: https://fedorahosted.org/pki/ticket/1243 The default selinux-policy is version 3.7.19-231. It needs to be updated to at least version 3.7.19-260. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
On 02/06/2015 06:59 AM, Les Stott wrote: Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-ca-9.0.3-38.el6_6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-util-9.0.3-38.el6_6.noarch pki-silent-9.0.3-38.el6_6.noarch Selinux: Permissive when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues. Samples from the ipareplica-ca-install.log... = 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca: /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument 2015-02-05T08:20:04Z DEBUG duration: 6 seconds 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance # Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused == In short pki-cad fails to start and stops the installer. Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-ca-9.0.3-38.el6_6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-util-9.0.3-38.el6_6.noarch pki-silent-9.0.3-38.el6_6.noarch Selinux: Permissive when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues. Samples from the ipareplica-ca-install.log... = 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca: /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument 2015-02-05T08:20:04Z DEBUG duration: 6 seconds 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance # Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused == In short pki-cad fails to start and stops the installer. Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project