Have resolved the issues below by completely removing FreeIPA and starting from scratch.
Here is the procedure to completely remove FreeIPA so you can start again. ipa-server-install --uninstall certutil -d /etc/httpd/alias -D -n "Server-Cert" certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA" certutil -d /etc/httpd/alias -D -n ipaCert certutil -d /etc/httpd/alias -D -n Signing-Cert yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs userdel pkisrv userdel pkiuser rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki /etc/ipa /var/log/ipa* reboot Now you have a clean slate. Then install works as normal for IPA Server, Replica and CA Replica installations. Hope this saves someone else time in the future. Regards, Les > -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Wednesday, 18 February 2015 6:27 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > Has anyone got any ideas on the below errors I am now receiving? > > Thanks in advance, > > Les > > > > > > > I will test this out (update to 3.7.19-260) next week as I've got a > > > few more CA replicas to setup. > > > > > > > I'm still having issues. Different one this time. > > > > As I have previously worked around the install of CA replicas in my > > production Production environment as above, I went to setup CA > > replication in DR (both environments are completely separate). > > > > Make sure I did a yum update for all packages, including > > selinux-policy, and also making sure all needed modules were loaded in > > httpd.conf I proceeded to retry installation of CA replication. However, it > failed with the following: > > > > Note: sb2sys01.domain.com is the replica I am trying to install.... > > > > (abbreviated below) > > > > ############################################# > > Attempting to connect to: sb2sys01.domain.com:9445 Connected. > > Posting Query = > > > https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7& > > op=next&xml=true&__password=XXXXXXXX&path=ca.p12 > > RESPONSE STATUS: HTTP/1.1 200 OK > > RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: > > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: > > Fri, > > 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close <?xml > > version="1.0" encoding="UTF-8"?> > > <!-- BEGIN COPYRIGHT BLOCK > > > > END COPYRIGHT BLOCK --> > > <response> > > <panel>admin/console/config/restorekeycertpanel.vm</panel> > > <res/> > > <updateStatus>failure</updateStatus> > > <password/> > > <errorString>The pkcs12 file is not correct.</errorString> > > <size>19</size> > > Error in RestoreKeyCertPanel(): updateStatus returns failure > > ERROR: ConfigureCA: RestoreKeyCertPanel() failure > > ERROR: unable to create CA > > > > ############################################ > > > > In /var/log/pki-ca/catalina.out I see... > > > > CMS Warning: FAILURE: Cannot build CA chain. Error > > java.security.cert.CertificateException: Certificate is not a PKCS #11 > > certificate|FAILURE: authz instance DirAclAuthz initialization failed > > certificate|and > > skipped, error=Property internaldb.ldapconn.port missing value| Server > > is started. > > > > Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with > > a working system). > > > > grep DirAclAuthz /etc/pki-ca/CS.cfg > > authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth > > z authz.instance.DirAclAuthz.ldap=internaldb > > authz.instance.DirAclAuthz.pluginName=DirAclAuthz > > authz.instance.DirAclAuthz.ldap._000=## > > authz.instance.DirAclAuthz.ldap._001=## Internal Database > > authz.instance.DirAclAuthz.ldap._002=## > > authz.instance.DirAclAuthz.ldap.basedn= > > authz.instance.DirAclAuthz.ldap.maxConns=15 > > authz.instance.DirAclAuthz.ldap.minConns=3 > > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth > > authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager > > authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP > > Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= > > authz.instance.DirAclAuthz.ldap.ldapconn.host= > > authz.instance.DirAclAuthz.ldap.ldapconn.port= > > authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false > > authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false > > > > The CA cert looks ok to me on the master. It does get copied to the > > replica in /usr/share/ipa/html/ca.crt > > > > I don't see any errors in httpd error or access logs on the master or > > the intended replica. > > > > The ipa-pki-proxy.conf config has the profilesubmit section. > > > > # matches for ee port > > <LocationMatch > > > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI > > > nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR > > ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> > > > > I can confirm that pki-cad does start (but is unconfigured) and that > > it does listen on port 9445. > > > > # netstat -apn |grep 9445 > > tcp 0 0 :::9445 :::* > > LISTEN 31264/java > > # service pki-cad status > > pki-ca (pid 31264) is running... [ OK ] > > 'pki-ca' must still be CONFIGURED! > > (see /var/log/pki-ca-install.log) > > > > I am not sure what to try next. > > > > Appreciate any help to get over this error. > > > > Thanks, > > > > Les > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project