> -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Saturday, 7 February 2015 9:39 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > > > > -----Original Message----- > > From: Endi Sukma Dewata [mailto:edew...@redhat.com] > > Sent: Saturday, 7 February 2015 1:53 AM > > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen > > Subject: Re: [Freeipa-users] bug in pki during install of CA replica > > and workaround/solution > > > > On 2/6/2015 8:39 AM, Martin Kosek wrote: > > >> Reinstalling the pki-selinux rpm (found references in some other > > >> forum > > posts) via yum reinstall pki-selinux is not enough to help. > > >> > > >> The solution is as follows: > > >> > > >> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent > > >> pki-java-tools pki-symkey pki-util pki-native-tools which takes > > >> components back to 9.0.3-32 then yum -y update pki-selinux pki-ca > > >> pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util > > >> pki-native-tools then (after cleaning up half installed pki > > >> components) ipa-ca-install > > >> /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg > > >> > > >> Then, the CA replication completes successfully. > > >> > > >> Regards, > > >> > > >> Les > > > > > > I saw this one around, e.g. in: > > > > > > http://www.redhat.com/archives/freeipa-devel/2014- > > May/msg00507.html > > > > > > Did you try reinstalling pki-selinux before ipa-server-install? > > > > > > Endi/Matthew, do we have a bug/fix for this? > > > > > > Thanks, > > > Martin > > > > > > > Yes, we have a ticket for this: > > https://fedorahosted.org/pki/ticket/1243 > > The default selinux-policy is version 3.7.19-231. It needs to be > > updated to at least version 3.7.19-260. > > > > -- > > Endi S. Dewata > > I will test this out (update to 3.7.19-260) next week as I've got a few more > CA > replicas to setup. >
I'm still having issues. Different one this time. As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate). Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following: Note: sb2sys01.domain.com is the replica I am trying to install.... (abbreviated below) ############################################# Attempting to connect to: sb2sys01.domain.com:9445 Connected. Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close <?xml version="1.0" encoding="UTF-8"?> <!-- BEGIN COPYRIGHT BLOCK END COPYRIGHT BLOCK --> <response> <panel>admin/console/config/restorekeycertpanel.vm</panel> <res/> <updateStatus>failure</updateStatus> <password/> <errorString>The pkcs12 file is not correct.</errorString> <size>19</size> Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA ############################################ In /var/log/pki-ca/catalina.out I see... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system). grep DirAclAuthz /etc/pki-ca/CS.cfg authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn= authz.instance.DirAclAuthz.ldap.maxConns=15 authz.instance.DirAclAuthz.ldap.minConns=3 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= authz.instance.DirAclAuthz.ldap.ldapconn.host= authz.instance.DirAclAuthz.ldap.ldapconn.port= authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false The CA cert looks ok to me on the master. It does get copied to the replica in /usr/share/ipa/html/ca.crt I don't see any errors in httpd error or access logs on the master or the intended replica. The ipa-pki-proxy.conf config has the profilesubmit section. # matches for ee port <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> I can confirm that pki-cad does start (but is unconfigured) and that it does listen on port 9445. # netstat -apn |grep 9445 tcp 0 0 :::9445 :::* LISTEN 31264/java # service pki-cad status pki-ca (pid 31264) is running... [ OK ] 'pki-ca' must still be CONFIGURED! (see /var/log/pki-ca-install.log) I am not sure what to try next. Appreciate any help to get over this error. Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project