subject:"\[Freeipa\-users\] bug in pki during install of CA replica and workaround\/solution"

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED

2015-02-24 Thread Les Stott

Have resolved the issues below by completely removing FreeIPA and starting from 
scratch.

Here is the procedure to completely remove FreeIPA so you can start again. 

ipa-server-install --uninstall
certutil -d /etc/httpd/alias -D -n Server-Cert
certutil -d /etc/httpd/alias -D -n MYDOMAIN.COM IPA CA
certutil -d /etc/httpd/alias -D -n ipaCert
certutil -d /etc/httpd/alias -D -n Signing-Cert
yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client 
ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 
389-ds-base-libs
userdel pkisrv
userdel pkiuser
rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger 
/etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki 
/etc/ipa /var/log/ipa*
reboot

Now you have a clean slate.

Then install works as normal for IPA Server, Replica and CA Replica 
installations.

Hope this saves someone else time in the future.

Regards,

Les

 -Original Message-
 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
 boun...@redhat.com] On Behalf Of Les Stott
 Sent: Wednesday, 18 February 2015 6:27 PM
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
 workaround/solution
 
 Has anyone got any ideas on the below errors I am now receiving?
 
 Thanks in advance,
 
 Les
 
  
   I will test this out (update to 3.7.19-260) next week as I've got a
   few more CA replicas to setup.
  
 
  I'm still having issues. Different one this time.
 
  As I have previously worked around the install of CA replicas in my
  production Production environment as above, I went to setup CA
  replication in DR (both environments are completely separate).
 
  Make sure I did a yum update for all packages, including
  selinux-policy, and also making sure all needed modules were loaded in
  httpd.conf I proceeded to retry installation of CA replication. However, it
 failed with the following:
 
  Note: sb2sys01.domain.com is the replica I am trying to install
 
  (abbreviated below)
 
  #
  Attempting to connect to: sb2sys01.domain.com:9445 Connected.
  Posting Query =
 
 https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7;
  op=nextxml=true__password=path=ca.p12
  RESPONSE STATUS:  HTTP/1.1 200 OK
  RESPONSE HEADER:  Server: Apache-Coyote/1.1 RESPONSE HEADER:
  Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER:  Date:
  Fri,
  13 Feb 2015 08:09:35 GMT RESPONSE HEADER:  Connection: close ?xml
  version=1.0 encoding=UTF-8?
  !-- BEGIN COPYRIGHT BLOCK
 
   END COPYRIGHT BLOCK --
  response
paneladmin/console/config/restorekeycertpanel.vm/panel
res/
updateStatusfailure/updateStatus
password/
errorStringThe pkcs12 file is not correct./errorString
size19/size
  Error in RestoreKeyCertPanel(): updateStatus returns failure
  ERROR: ConfigureCA: RestoreKeyCertPanel() failure
  ERROR: unable to create CA
 
  
 
  In /var/log/pki-ca/catalina.out I see...
 
  CMS Warning: FAILURE: Cannot build CA chain. Error
  java.security.cert.CertificateException: Certificate is not a PKCS #11
  certificate|FAILURE: authz instance DirAclAuthz initialization failed
  certificate|and
  skipped, error=Property internaldb.ldapconn.port missing value| Server
  is started.
 
  Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with
  a working system).
 
  grep DirAclAuthz /etc/pki-ca/CS.cfg
  authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth
  z authz.instance.DirAclAuthz.ldap=internaldb
  authz.instance.DirAclAuthz.pluginName=DirAclAuthz
  authz.instance.DirAclAuthz.ldap._000=##
  authz.instance.DirAclAuthz.ldap._001=## Internal Database
  authz.instance.DirAclAuthz.ldap._002=##
  authz.instance.DirAclAuthz.ldap.basedn=
  authz.instance.DirAclAuthz.ldap.maxConns=15
  authz.instance.DirAclAuthz.ldap.minConns=3
  authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
  authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
  authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP
  Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
  authz.instance.DirAclAuthz.ldap.ldapconn.host=
  authz.instance.DirAclAuthz.ldap.ldapconn.port=
  authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
  authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
 
  The CA cert looks ok to me on the master. It does get copied to the
  replica in /usr/share/ipa/html/ca.crt
 
  I don't see any errors in httpd error or access logs on the master or
  the intended replica.
 
  The ipa-pki-proxy.conf config has the profilesubmit section.
 
  # matches for ee port
  LocationMatch
 
 ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-17 Thread Les Stott

Has anyone got any ideas on the below errors I am now receiving?

Thanks in advance,

Les

 
  I will test this out (update to 3.7.19-260) next week as I've got a
  few more CA replicas to setup.
 
 
 I'm still having issues. Different one this time.
 
 As I have previously worked around the install of CA replicas in my
 production Production environment as above, I went to setup CA replication
 in DR (both environments are completely separate).
 
 Make sure I did a yum update for all packages, including selinux-policy, and
 also making sure all needed modules were loaded in httpd.conf I proceeded
 to retry installation of CA replication. However, it failed with the 
 following:
 
 Note: sb2sys01.domain.com is the replica I am trying to install
 
 (abbreviated below)
 
 #
 Attempting to connect to: sb2sys01.domain.com:9445 Connected.
 Posting Query =
 https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7;
 op=nextxml=true__password=path=ca.p12
 RESPONSE STATUS:  HTTP/1.1 200 OK
 RESPONSE HEADER:  Server: Apache-Coyote/1.1 RESPONSE HEADER:
 Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER:  Date: Fri,
 13 Feb 2015 08:09:35 GMT RESPONSE HEADER:  Connection: close ?xml
 version=1.0 encoding=UTF-8?
 !-- BEGIN COPYRIGHT BLOCK
 
  END COPYRIGHT BLOCK --
 response
   paneladmin/console/config/restorekeycertpanel.vm/panel
   res/
   updateStatusfailure/updateStatus
   password/
   errorStringThe pkcs12 file is not correct./errorString
   size19/size
 Error in RestoreKeyCertPanel(): updateStatus returns failure
 ERROR: ConfigureCA: RestoreKeyCertPanel() failure
 ERROR: unable to create CA
 
 
 
 In /var/log/pki-ca/catalina.out I see...
 
 CMS Warning: FAILURE: Cannot build CA chain. Error
 java.security.cert.CertificateException: Certificate is not a PKCS #11
 certificate|FAILURE: authz instance DirAclAuthz initialization failed and
 skipped, error=Property internaldb.ldapconn.port missing value| Server is
 started.
 
 Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a
 working system).
 
 grep DirAclAuthz /etc/pki-ca/CS.cfg
 authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
 authz.instance.DirAclAuthz.ldap=internaldb
 authz.instance.DirAclAuthz.pluginName=DirAclAuthz
 authz.instance.DirAclAuthz.ldap._000=##
 authz.instance.DirAclAuthz.ldap._001=## Internal Database
 authz.instance.DirAclAuthz.ldap._002=##
 authz.instance.DirAclAuthz.ldap.basedn=
 authz.instance.DirAclAuthz.ldap.maxConns=15
 authz.instance.DirAclAuthz.ldap.minConns=3
 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
 authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
 authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP
 Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
 authz.instance.DirAclAuthz.ldap.ldapconn.host=
 authz.instance.DirAclAuthz.ldap.ldapconn.port=
 authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
 authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
 
 The CA cert looks ok to me on the master. It does get copied to the replica in
 /usr/share/ipa/html/ca.crt
 
 I don't see any errors in httpd error or access logs on the master or the
 intended replica.
 
 The ipa-pki-proxy.conf config has the profilesubmit section.
 
 # matches for ee port
 LocationMatch
 ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI
 nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR
 ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit
 
 I can confirm that pki-cad does start (but is unconfigured) and that it does
 listen on port 9445.
 
 # netstat -apn |grep 9445
 tcp0  0 :::9445 :::*
 LISTEN  31264/java
 # service pki-cad status
 pki-ca (pid 31264) is running...   [  OK  ]
 'pki-ca' must still be CONFIGURED!
 (see /var/log/pki-ca-install.log)
 
 I am not sure what to try next.
 
 Appreciate any help to get over this error.
 
 Thanks,
 
 Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-13 Thread Les Stott

 -Original Message-
 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
 boun...@redhat.com] On Behalf Of Les Stott
 Sent: Saturday, 7 February 2015 9:39 AM
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
 workaround/solution

  -Original Message-
  From: Endi Sukma Dewata [mailto:edew...@redhat.com]
  Sent: Saturday, 7 February 2015 1:53 AM
  To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
  Subject: Re: [Freeipa-users] bug in pki during install of CA replica
  and workaround/solution

  On 2/6/2015 8:39 AM, Martin Kosek wrote:
   Reinstalling the pki-selinux rpm (found references in some other
   forum
  posts) via yum reinstall pki-selinux is not enough to help.

   The solution is as follows:

   yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
   pki-java-tools pki-symkey pki-util pki-native-tools which takes
   components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
   pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
   pki-native-tools then (after cleaning up half installed pki
   components) ipa-ca-install
   /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

   Then, the CA replication completes successfully.

   Regards,

   Les

   I saw this one around, e.g. in:

   http://www.redhat.com/archives/freeipa-devel/2014-
  May/msg00507.html

   Did you try reinstalling pki-selinux before ipa-server-install?

   Endi/Matthew, do we have a bug/fix for this?

   Thanks,
   Martin

  Yes, we have a ticket for this:
  https://fedorahosted.org/pki/ticket/1243
  The default selinux-policy is version 3.7.19-231. It needs to be
  updated to at least version 3.7.19-260.

  --
  Endi S. Dewata

 I will test this out (update to 3.7.19-260) next week as I've got a few more 
 CA
 replicas to setup.

I'm still having issues. Different one this time.

As I have previously worked around the install of CA replicas in my production 
Production environment as above, I went to setup CA replication in DR (both 
environments are completely separate).

Make sure I did a yum update for all packages, including selinux-policy, and 
also making sure all needed modules were loaded in httpd.conf I proceeded to 
retry installation of CA replication. However, it failed with the following:

Note: sb2sys01.domain.com is the replica I am trying to install

(abbreviated below)

#
Attempting to connect to: sb2sys01.domain.com:9445
Connected.
Posting Query = 
https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER:  Date: Fri, 13 Feb 2015 08:09:35 GMT
RESPONSE HEADER:  Connection: close
?xml version=1.0 encoding=UTF-8?
!-- BEGIN COPYRIGHT BLOCK

 END COPYRIGHT BLOCK --
response
  paneladmin/console/config/restorekeycertpanel.vm/panel
  res/
  updateStatusfailure/updateStatus
  password/
  errorStringThe pkcs12 file is not correct./errorString
  size19/size
Error in RestoreKeyCertPanel(): updateStatus returns failure
ERROR: ConfigureCA: RestoreKeyCertPanel() failure
ERROR: unable to create CA

In /var/log/pki-ca/catalina.out I see...

CMS Warning: FAILURE: Cannot build CA chain. Error 
java.security.cert.CertificateException: Certificate is not a PKCS #11 
certificate|FAILURE: authz instance DirAclAuthz initialization failed and 
skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.

Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a 
working system).

grep DirAclAuthz /etc/pki-ca/CS.cfg
authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
authz.instance.DirAclAuthz.ldap=internaldb
authz.instance.DirAclAuthz.pluginName=DirAclAuthz
authz.instance.DirAclAuthz.ldap._000=##
authz.instance.DirAclAuthz.ldap._001=## Internal Database
authz.instance.DirAclAuthz.ldap._002=##
authz.instance.DirAclAuthz.ldap.basedn=
authz.instance.DirAclAuthz.ldap.maxConns=15
authz.instance.DirAclAuthz.ldap.minConns=3
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
authz.instance.DirAclAuthz.ldap.ldapconn.host=
authz.instance.DirAclAuthz.ldap.ldapconn.port=
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false

The CA cert looks ok to me on the master. It does get copied to the replica in 
/usr/share/ipa/html/ca.crt

I don't see any errors in httpd error or access logs on the master or the 
intended replica.

The

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Les Stott



 -Original Message-
 From: Martin Kosek [mailto:mko...@redhat.com]
 Sent: Saturday, 7 February 2015 1:40 AM
 To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata
 Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
 workaround/solution
 
 On 02/06/2015 06:59 AM, Les Stott wrote:
  Hi,
 
  I found a bug in the pki packages and CA replica installation.
 
  Environment:
  Rhel 6.6
  IPA Server 3.0.0-42
  Pki components:
  pki-symkey-9.0.3-38.el6_6.x86_64
  pki-common-9.0.3-38.el6_6.noarch
  pki-setup-9.0.3-38.el6_6.noarch
  pki-selinux-9.0.3-38.el6_6.noarch
  pki-java-tools-9.0.3-38.el6_6.noarch
  pki-ca-9.0.3-38.el6_6.noarch
  ipa-pki-common-theme-9.0.3-7.el6.noarch
  ipa-pki-ca-theme-9.0.3-7.el6.noarch
  pki-native-tools-9.0.3-38.el6_6.x86_64
  pki-util-9.0.3-38.el6_6.noarch
  pki-silent-9.0.3-38.el6_6.noarch
  Selinux:
  Permissive
 
  when running a CA replica installation it fails because pki-cad cannot start
 due to selinux context issues.
 
  Samples from the ipareplica-ca-install.log...
 
  =
  2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK
 ]/service pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca:
  /usr/bin/runcon: invalid context:
 unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument
 
  2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
  2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server
 instance
  #
  Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in
  LoginPanel(): java.lang.NullPointerException
  ERROR: ConfigureCA: LoginPanel() failure
  ERROR: unable to create CA
 
 
 ###
 ###
  #
 
  2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send
  Request:java.net.ConnectException: Connection refused
  java.net.ConnectException: Connection refused
 
  ==
 
  In short pki-cad fails to start and stops the installer.
 
  Reinstalling the pki-selinux rpm (found references in some other forum
 posts) via yum reinstall pki-selinux is not enough to help.
 
  The solution is as follows:
 
  yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
  pki-java-tools pki-symkey pki-util pki-native-tools which takes
  components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
  pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
  pki-native-tools then (after cleaning up half installed pki
  components) ipa-ca-install
  /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
 
  Then, the CA replication completes successfully.
 
  Regards,
 
  Les
 
 I saw this one around, e.g. in:
 
 http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html
 
 Did you try reinstalling pki-selinux before ipa-server-install?
 

Yes, tried this. But it was not enough.


 Endi/Matthew, do we have a bug/fix for this?
 
 Thanks,
 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Les Stott

 -Original Message-
 From: Endi Sukma Dewata [mailto:edew...@redhat.com]
 Sent: Saturday, 7 February 2015 1:53 AM
 To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
 Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
 workaround/solution

 On 2/6/2015 8:39 AM, Martin Kosek wrote:
  Reinstalling the pki-selinux rpm (found references in some other forum
 posts) via yum reinstall pki-selinux is not enough to help.

  The solution is as follows:

  yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
  pki-java-tools pki-symkey pki-util pki-native-tools which takes
  components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
  pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
  pki-native-tools then (after cleaning up half installed pki
  components) ipa-ca-install
  /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

  Then, the CA replication completes successfully.

  Regards,

  Les

  I saw this one around, e.g. in:

  http://www.redhat.com/archives/freeipa-devel/2014-
 May/msg00507.html

  Did you try reinstalling pki-selinux before ipa-server-install?

  Endi/Matthew, do we have a bug/fix for this?

  Thanks,
  Martin

 Yes, we have a ticket for this:
 https://fedorahosted.org/pki/ticket/1243
 The default selinux-policy is version 3.7.19-231. It needs to be updated to at
 least version 3.7.19-260.

 --
 Endi S. Dewata

I will test this out (update to 3.7.19-260) next week as I've got a few more CA 
replicas to setup.

Thanks,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Endi Sukma Dewata


On 2/6/2015 8:39 AM, Martin Kosek wrote:

Reinstalling the pki-selinux rpm (found references in some other forum posts) 
via yum reinstall pki-selinux is not enough to help.

The solution is as follows:

yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools
which takes components back to 9.0.3-32
then
yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent 
pki-java-tools pki-symkey pki-util pki-native-tools
then (after cleaning up half installed pki components)
ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

Then, the CA replication completes successfully.

Regards,

Les


I saw this one around, e.g. in:

http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html

Did you try reinstalling pki-selinux before ipa-server-install?

Endi/Matthew, do we have a bug/fix for this?

Thanks,
Martin



Yes, we have a ticket for this:
https://fedorahosted.org/pki/ticket/1243
The default selinux-policy is version 3.7.19-231. It needs to be updated 
to at least version 3.7.19-260.


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Martin Kosek

On 02/06/2015 06:59 AM, Les Stott wrote:
 Hi,
 
 I found a bug in the pki packages and CA replica installation.
 
 Environment:
 Rhel 6.6
 IPA Server 3.0.0-42
 Pki components:
 pki-symkey-9.0.3-38.el6_6.x86_64
 pki-common-9.0.3-38.el6_6.noarch
 pki-setup-9.0.3-38.el6_6.noarch
 pki-selinux-9.0.3-38.el6_6.noarch
 pki-java-tools-9.0.3-38.el6_6.noarch
 pki-ca-9.0.3-38.el6_6.noarch
 ipa-pki-common-theme-9.0.3-7.el6.noarch
 ipa-pki-ca-theme-9.0.3-7.el6.noarch
 pki-native-tools-9.0.3-38.el6_6.x86_64
 pki-util-9.0.3-38.el6_6.noarch
 pki-silent-9.0.3-38.el6_6.noarch
 Selinux:
 Permissive
 
 when running a CA replica installation it fails because pki-cad cannot start 
 due to selinux context issues.
 
 Samples from the ipareplica-ca-install.log...
 
 =
 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK  ]/service 
 pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca:
 /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: 
 Invalid argument
 
 2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
 2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server instance
 #
 Attempting to connect to: sb1sys02.mydomain.com:9445
 Exception in LoginPanel(): java.lang.NullPointerException
 ERROR: ConfigureCA: LoginPanel() failure
 ERROR: unable to create CA
 
 ###
 
 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send 
 Request:java.net.ConnectException: Connection refused
 java.net.ConnectException: Connection refused
 
 ==
 
 In short pki-cad fails to start and stops the installer.
 
 Reinstalling the pki-selinux rpm (found references in some other forum posts) 
 via yum reinstall pki-selinux is not enough to help.
 
 The solution is as follows:
 
 yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent 
 pki-java-tools pki-symkey pki-util pki-native-tools
 which takes components back to 9.0.3-32
 then
 yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent 
 pki-java-tools pki-symkey pki-util pki-native-tools
 then (after cleaning up half installed pki components)
 ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
 
 Then, the CA replication completes successfully.
 
 Regards,
 
 Les

I saw this one around, e.g. in:

http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html

Did you try reinstalling pki-selinux before ipa-server-install?

Endi/Matthew, do we have a bug/fix for this?

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-05 Thread Les Stott

Hi,

I found a bug in the pki packages and CA replica installation.

Environment:
Rhel 6.6
IPA Server 3.0.0-42
Pki components:
pki-symkey-9.0.3-38.el6_6.x86_64
pki-common-9.0.3-38.el6_6.noarch
pki-setup-9.0.3-38.el6_6.noarch
pki-selinux-9.0.3-38.el6_6.noarch
pki-java-tools-9.0.3-38.el6_6.noarch
pki-ca-9.0.3-38.el6_6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-native-tools-9.0.3-38.el6_6.x86_64
pki-util-9.0.3-38.el6_6.noarch
pki-silent-9.0.3-38.el6_6.noarch
Selinux:
Permissive

when running a CA replica installation it fails because pki-cad cannot start 
due to selinux context issues.

Samples from the ipareplica-ca-install.log...

=
2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK  ]/service 
pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca:
/usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: 
Invalid argument

2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server instance
#
Attempting to connect to: sb1sys02.mydomain.com:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA

###

2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send 
Request:java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused

==

In short pki-cad fails to start and stops the installer.

Reinstalling the pki-selinux rpm (found references in some other forum posts) 
via yum reinstall pki-selinux is not enough to help.

The solution is as follows:

yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools
which takes components back to 9.0.3-32
then
yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent 
pki-java-tools pki-symkey pki-util pki-native-tools
then (after cleaning up half installed pki components)
ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

Then, the CA replication completes successfully.

Regards,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

[Freeipa-users] bug in pki during install of CA replica and workaround/solution

8 matches

Site Navigation

Mail list logo

Footer information