Ok -- at this point, I need some logs to determine why the server is not starting. How about you zip up all the logs in /var/log/pki-ca as well as /var/pki-ca-install.log ?
Ade On Thu, 2012-03-01 at 11:07 -0500, Dan Scott wrote: > Hi, > > I tried with SELinux in permissive mode. It failed in the same way. > > Dan > > On Wed, Feb 29, 2012 at 16:28, Ade Lee <a...@redhat.com> wrote: > > Its a little strange that its showing up as an error -- it shouldn't if > > they are already set and they are of the right context. > > > > That said, its not really an error - and should not be a problem unless > > its preventing the installation from completing successfully. > > > > Try doing the installation with selinux in permissive mode and see if it > > makes a difference. > > > > Ade > > > > On Wed, 2012-02-29 at 16:18 -0500, Dan Scott wrote: > >> On Wed, Feb 29, 2012 at 16:03, Ade Lee <a...@redhat.com> wrote: > >> > Thats a pretty strange error. The ports there are supposed to be > >> > reserved for pki_ca_port_t. > >> > > >> > Can you do the following for each of the ports? > >> > semanage port -l |grep 9443 > >> > >> [root@fileserver3 ~]# semanage port -l |grep 9443 > >> pki_ca_port_t tcp 9180, 9701, 9443-9447 > >> > >> 944[456] don't match, but they're in the range, so they should be OK, > >> right? > >> > >> Is it really an error? Or is it just indicating that the port has > >> already been set. > >> > >> Thanks, > >> > >> Dan > >> > >> > Its probably best to completely remove the replica. You could try use > >> > dogtag specific commands to uninstall and install the ca - but then the > >> > rest of the ipa install scripts would be confused. > >> > > >> > Ade > >> > > >> > On Wed, 2012-02-29 at 13:44 -0500, Dan Scott wrote: > >> >> Anyone have any suggestions for how I can fix this? > >> >> > >> >> Dan > >> >> > >> >> On Mon, Feb 27, 2012 at 21:06, Dan Scott <danieljamessc...@gmail.com> > >> >> wrote: > >> >> > Hi, > >> >> > > >> >> > I'm having another problem with replica installation - just the CA > >> >> > this time > >> >> > > >> >> > It looks like there's a problem with SELinux and the pki-ca service: > >> >> > > >> >> > After configuration, the server can be operated by the command: > >> >> > > >> >> > /bin/systemctl restart pki-cad@pki-ca.service > >> >> > > >> >> > > >> >> > 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux > >> >> > context pki_ca_port_t for 9180. Port already defined otherwise. > >> >> > [error] Failed setting selinux context pki_ca_port_t for 9701. Port > >> >> > already defined otherwise. > >> >> > [error] Failed setting selinux context pki_ca_port_t for 9443. Port > >> >> > already defined otherwise. > >> >> > [error] Failed setting selinux context pki_ca_port_t for 9444. Port > >> >> > already defined otherwise. > >> >> > [error] Failed setting selinux context pki_ca_port_t for 9446. Port > >> >> > already defined otherwise. > >> >> > [error] Failed setting selinux context pki_ca_port_t for 9445. Port > >> >> > already defined otherwise. > >> >> > [error] Failed setting selinux context pki_ca_port_t for 9447. Port > >> >> > already defined otherwise. > >> >> > [error] FAILED run_command("/bin/systemctl restart > >> >> > pki-cad@pki-ca.service"), exit status=1 output="Job failed. See system > >> >> > logs and 'systemctl status' for details." > >> >> > > >> >> > 2012-02-27 20:33:45,729 DEBUG duration: 6 seconds > >> >> > 2012-02-27 20:33:45,730 DEBUG [3/11]: configuring certificate > >> >> > server instance > >> >> > [clip] > >> >> > 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64 > >> >> > ####################################################################### > >> >> > CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph > >> >> > tokenpwd:XXXXXXXX > >> >> > ############################################# > >> >> > Attempting to connect to: fileserver3.example.com:9445 > >> >> > Exception in LoginPanel(): java.lang.NullPointerException > >> >> > ERROR: ConfigureCA: LoginPanel() failure > >> >> > ERROR: unable to create CA > >> >> > > >> >> > ####################################################################### > >> >> > > >> >> > 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send > >> >> > Request:java.net.ConnectException: Connection refused > >> >> > java.net.ConnectException: Connection refused > >> >> > at java.net.PlainSocketImpl.socketConnect(Native Method) > >> >> > at > >> >> > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > >> >> > at > >> >> > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > >> >> > at > >> >> > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > >> >> > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > >> >> > at java.net.Socket.connect(Socket.java:546) > >> >> > at java.net.Socket.connect(Socket.java:495) > >> >> > at java.net.Socket.<init>(Socket.java:392) > >> >> > at java.net.Socket.<init>(Socket.java:235) > >> >> > at HTTPClient.sslConnect(HTTPClient.java:326) > >> >> > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > >> >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > >> >> > at ConfigureCA.main(ConfigureCA.java:1672) > >> >> > java.lang.NullPointerException > >> >> > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > >> >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > >> >> > at ConfigureCA.main(ConfigureCA.java:1672) > >> >> > > >> >> > /var/log/messages contains the following: > >> >> > > >> >> > Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104) > >> >> > Connection reset by peer > >> >> > Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid > >> >> > context: system_u:system_r:pki_ca_script_t:s0: Invalid argument > >> >> > Feb 27 20:57:26 localhost systemd[1]: pki-cad@pki-ca.service: control > >> >> > process exited, code=exited status=1 > >> >> > Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad@pki-ca.service > >> >> > entered failed state. > >> >> > > >> >> > This is a fresh install of Fedora 16. There are no updates to apply. > >> >> > > >> >> > Any ideas? > >> >> > > >> >> > One more thing. Is there a way to remove and reinstall just the CA? Or > >> >> > do I have to completely remove and re-install the entire IPA replica? > >> >> > i.e. Is there something like ipa-ca-install --uninstall I couldn't see > >> >> > the option anywhere. > >> >> > > >> >> > Thanks, > >> >> > > >> >> > Dan > >> >> > >> >> _______________________________________________ > >> >> Freeipa-users mailing list > >> >> Freeipa-users@redhat.com > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > >> > > > > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users