Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED
Have resolved the issues below by completely removing FreeIPA and starting from scratch. Here is the procedure to completely remove FreeIPA so you can start again. ipa-server-install --uninstall certutil -d /etc/httpd/alias -D -n "Server-Cert" certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA" certutil -d /etc/httpd/alias -D -n ipaCert certutil -d /etc/httpd/alias -D -n Signing-Cert yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs userdel pkisrv userdel pkiuser rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki /etc/ipa /var/log/ipa* reboot Now you have a clean slate. Then install works as normal for IPA Server, Replica and CA Replica installations. Hope this saves someone else time in the future. Regards, Les > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Wednesday, 18 February 2015 6:27 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > Has anyone got any ideas on the below errors I am now receiving? > > Thanks in advance, > > Les > > > > > > > I will test this out (update to 3.7.19-260) next week as I've got a > > > few more CA replicas to setup. > > > > > > > I'm still having issues. Different one this time. > > > > As I have previously worked around the install of CA replicas in my > > production Production environment as above, I went to setup CA > > replication in DR (both environments are completely separate). > > > > Make sure I did a yum update for all packages, including > > selinux-policy, and also making sure all needed modules were loaded in > > httpd.conf I proceeded to retry installation of CA replication. However, it > failed with the following: > > > > Note: sb2sys01.domain.com is the replica I am trying to install > > > > (abbreviated below) > > > > # > > Attempting to connect to: sb2sys01.domain.com:9445 Connected. > > Posting Query = > > > https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&; > > op=next&xml=true&__password=&path=ca.p12 > > RESPONSE STATUS: HTTP/1.1 200 OK > > RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: > > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: > > Fri, > > 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close > version="1.0" encoding="UTF-8"?> > > > > > > admin/console/config/restorekeycertpanel.vm > > > > failure > > > > The pkcs12 file is not correct. > > 19 > > Error in RestoreKeyCertPanel(): updateStatus returns failure > > ERROR: ConfigureCA: RestoreKeyCertPanel() failure > > ERROR: unable to create CA > > > > > > > > In /var/log/pki-ca/catalina.out I see... > > > > CMS Warning: FAILURE: Cannot build CA chain. Error > > java.security.cert.CertificateException: Certificate is not a PKCS #11 > > certificate|FAILURE: authz instance DirAclAuthz initialization failed > > certificate|and > > skipped, error=Property internaldb.ldapconn.port missing value| Server > > is started. > > > > Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with > > a working system). > > > > grep DirAclAuthz /etc/pki-ca/CS.cfg > > authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth > > z authz.instance.DirAclAuthz.ldap=internaldb > > authz.instance.DirAclAuthz.pluginName=DirAclAuthz > > authz.instance.DirAclAuthz.ldap._000=## > > authz.instance.DirAclAuthz.ldap._001=## Internal Database > > authz.instance.DirAclAuthz.ldap._002=## > > authz.instance.DirAclAuthz.ldap.basedn= > > authz.instance.DirAclAuthz.ldap.maxConns=15 > > authz.instance.DirAclAuthz.ldap.minConns=3 > > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth > > authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager > > authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP > > Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= > > authz.instance.DirAclAuthz.ldap.ldapconn.host= > > authz.instance.DirAclAuthz.ldap.
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
Has anyone got any ideas on the below errors I am now receiving? Thanks in advance, Les > > > > I will test this out (update to 3.7.19-260) next week as I've got a > > few more CA replicas to setup. > > > > I'm still having issues. Different one this time. > > As I have previously worked around the install of CA replicas in my > production Production environment as above, I went to setup CA replication > in DR (both environments are completely separate). > > Make sure I did a yum update for all packages, including selinux-policy, and > also making sure all needed modules were loaded in httpd.conf I proceeded > to retry installation of CA replication. However, it failed with the > following: > > Note: sb2sys01.domain.com is the replica I am trying to install > > (abbreviated below) > > # > Attempting to connect to: sb2sys01.domain.com:9445 Connected. > Posting Query = > https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&; > op=next&xml=true&__password=&path=ca.p12 > RESPONSE STATUS: HTTP/1.1 200 OK > RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, > 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close version="1.0" encoding="UTF-8"?> > > > admin/console/config/restorekeycertpanel.vm > > failure > > The pkcs12 file is not correct. > 19 > Error in RestoreKeyCertPanel(): updateStatus returns failure > ERROR: ConfigureCA: RestoreKeyCertPanel() failure > ERROR: unable to create CA > > > > In /var/log/pki-ca/catalina.out I see... > > CMS Warning: FAILURE: Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate|FAILURE: authz instance DirAclAuthz initialization failed and > skipped, error=Property internaldb.ldapconn.port missing value| Server is > started. > > Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a > working system). > > grep DirAclAuthz /etc/pki-ca/CS.cfg > authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz > authz.instance.DirAclAuthz.ldap=internaldb > authz.instance.DirAclAuthz.pluginName=DirAclAuthz > authz.instance.DirAclAuthz.ldap._000=## > authz.instance.DirAclAuthz.ldap._001=## Internal Database > authz.instance.DirAclAuthz.ldap._002=## > authz.instance.DirAclAuthz.ldap.basedn= > authz.instance.DirAclAuthz.ldap.maxConns=15 > authz.instance.DirAclAuthz.ldap.minConns=3 > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth > authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager > authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP > Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= > authz.instance.DirAclAuthz.ldap.ldapconn.host= > authz.instance.DirAclAuthz.ldap.ldapconn.port= > authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false > authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false > > The CA cert looks ok to me on the master. It does get copied to the replica in > /usr/share/ipa/html/ca.crt > > I don't see any errors in httpd error or access logs on the master or the > intended replica. > > The ipa-pki-proxy.conf config has the profilesubmit section. > > # matches for ee port > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI > nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR > ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> > > I can confirm that pki-cad does start (but is unconfigured) and that it does > listen on port 9445. > > # netstat -apn |grep 9445 > tcp0 0 :::9445 :::* > LISTEN 31264/java > # service pki-cad status > pki-ca (pid 31264) is running... [ OK ] > 'pki-ca' must still be CONFIGURED! > (see /var/log/pki-ca-install.log) > > I am not sure what to try next. > > Appreciate any help to get over this error. > > Thanks, > > Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Saturday, 7 February 2015 9:39 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > > > > -Original Message- > > From: Endi Sukma Dewata [mailto:edew...@redhat.com] > > Sent: Saturday, 7 February 2015 1:53 AM > > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen > > Subject: Re: [Freeipa-users] bug in pki during install of CA replica > > and workaround/solution > > > > On 2/6/2015 8:39 AM, Martin Kosek wrote: > > >> Reinstalling the pki-selinux rpm (found references in some other > > >> forum > > posts) via yum reinstall pki-selinux is not enough to help. > > >> > > >> The solution is as follows: > > >> > > >> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent > > >> pki-java-tools pki-symkey pki-util pki-native-tools which takes > > >> components back to 9.0.3-32 then yum -y update pki-selinux pki-ca > > >> pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util > > >> pki-native-tools then (after cleaning up half installed pki > > >> components) ipa-ca-install > > >> /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg > > >> > > >> Then, the CA replication completes successfully. > > >> > > >> Regards, > > >> > > >> Les > > > > > > I saw this one around, e.g. in: > > > > > > http://www.redhat.com/archives/freeipa-devel/2014- > > May/msg00507.html > > > > > > Did you try reinstalling pki-selinux before ipa-server-install? > > > > > > Endi/Matthew, do we have a bug/fix for this? > > > > > > Thanks, > > > Martin > > > > > > > Yes, we have a ticket for this: > > https://fedorahosted.org/pki/ticket/1243 > > The default selinux-policy is version 3.7.19-231. It needs to be > > updated to at least version 3.7.19-260. > > > > -- > > Endi S. Dewata > > I will test this out (update to 3.7.19-260) next week as I've got a few more > CA > replicas to setup. > I'm still having issues. Different one this time. As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate). Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following: Note: sb2sys01.domain.com is the replica I am trying to install (abbreviated below) # Attempting to connect to: sb2sys01.domain.com:9445 Connected. Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=&path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close admin/console/config/restorekeycertpanel.vm failure The pkcs12 file is not correct. 19 Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA In /var/log/pki-ca/catalina.out I see... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system). grep DirAclAuthz /etc/pki-ca/CS.cfg authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn= authz.instance.DirAclAuthz.ldap.maxConns=15 authz.instance.DirAclAuthz.ldap.minConns=3 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database authz.
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
> -Original Message- > From: Endi Sukma Dewata [mailto:edew...@redhat.com] > Sent: Saturday, 7 February 2015 1:53 AM > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > On 2/6/2015 8:39 AM, Martin Kosek wrote: > >> Reinstalling the pki-selinux rpm (found references in some other forum > posts) via yum reinstall pki-selinux is not enough to help. > >> > >> The solution is as follows: > >> > >> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent > >> pki-java-tools pki-symkey pki-util pki-native-tools which takes > >> components back to 9.0.3-32 then yum -y update pki-selinux pki-ca > >> pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util > >> pki-native-tools then (after cleaning up half installed pki > >> components) ipa-ca-install > >> /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg > >> > >> Then, the CA replication completes successfully. > >> > >> Regards, > >> > >> Les > > > > I saw this one around, e.g. in: > > > > http://www.redhat.com/archives/freeipa-devel/2014- > May/msg00507.html > > > > Did you try reinstalling pki-selinux before ipa-server-install? > > > > Endi/Matthew, do we have a bug/fix for this? > > > > Thanks, > > Martin > > > > Yes, we have a ticket for this: > https://fedorahosted.org/pki/ticket/1243 > The default selinux-policy is version 3.7.19-231. It needs to be updated to at > least version 3.7.19-260. > > -- > Endi S. Dewata I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
> -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Saturday, 7 February 2015 1:40 AM > To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata > Subject: Re: [Freeipa-users] bug in pki during install of CA replica and > workaround/solution > > On 02/06/2015 06:59 AM, Les Stott wrote: > > Hi, > > > > I found a bug in the pki packages and CA replica installation. > > > > Environment: > > Rhel 6.6 > > IPA Server 3.0.0-42 > > Pki components: > > pki-symkey-9.0.3-38.el6_6.x86_64 > > pki-common-9.0.3-38.el6_6.noarch > > pki-setup-9.0.3-38.el6_6.noarch > > pki-selinux-9.0.3-38.el6_6.noarch > > pki-java-tools-9.0.3-38.el6_6.noarch > > pki-ca-9.0.3-38.el6_6.noarch > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > pki-native-tools-9.0.3-38.el6_6.x86_64 > > pki-util-9.0.3-38.el6_6.noarch > > pki-silent-9.0.3-38.el6_6.noarch > > Selinux: > > Permissive > > > > when running a CA replica installation it fails because pki-cad cannot start > due to selinux context issues. > > > > Samples from the ipareplica-ca-install.log... > > > > = > > 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK > ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: > > /usr/bin/runcon: invalid context: > unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument" > > > > 2015-02-05T08:20:04Z DEBUG duration: 6 seconds > > 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server > instance > > # > > Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in > > LoginPanel(): java.lang.NullPointerException > > ERROR: ConfigureCA: LoginPanel() failure > > ERROR: unable to create CA > > > > > ### > ### > > # > > > > 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send > > Request:java.net.ConnectException: Connection refused > > java.net.ConnectException: Connection refused > > > > == > > > > In short pki-cad fails to start and stops the installer. > > > > Reinstalling the pki-selinux rpm (found references in some other forum > posts) via yum reinstall pki-selinux is not enough to help. > > > > The solution is as follows: > > > > yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent > > pki-java-tools pki-symkey pki-util pki-native-tools which takes > > components back to 9.0.3-32 then yum -y update pki-selinux pki-ca > > pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util > > pki-native-tools then (after cleaning up half installed pki > > components) ipa-ca-install > > /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg > > > > Then, the CA replication completes successfully. > > > > Regards, > > > > Les > > I saw this one around, e.g. in: > > http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html > > Did you try reinstalling pki-selinux before ipa-server-install? > Yes, tried this. But it was not enough. > Endi/Matthew, do we have a bug/fix for this? > > Thanks, > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
On 2/6/2015 8:39 AM, Martin Kosek wrote: Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin Yes, we have a ticket for this: https://fedorahosted.org/pki/ticket/1243 The default selinux-policy is version 3.7.19-231. It needs to be updated to at least version 3.7.19-260. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
On 02/06/2015 06:59 AM, Les Stott wrote: > Hi, > > I found a bug in the pki packages and CA replica installation. > > Environment: > Rhel 6.6 > IPA Server 3.0.0-42 > Pki components: > pki-symkey-9.0.3-38.el6_6.x86_64 > pki-common-9.0.3-38.el6_6.noarch > pki-setup-9.0.3-38.el6_6.noarch > pki-selinux-9.0.3-38.el6_6.noarch > pki-java-tools-9.0.3-38.el6_6.noarch > pki-ca-9.0.3-38.el6_6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-pki-ca-theme-9.0.3-7.el6.noarch > pki-native-tools-9.0.3-38.el6_6.x86_64 > pki-util-9.0.3-38.el6_6.noarch > pki-silent-9.0.3-38.el6_6.noarch > Selinux: > Permissive > > when running a CA replica installation it fails because pki-cad cannot start > due to selinux context issues. > > Samples from the ipareplica-ca-install.log... > > = > 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service > pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: > /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: > Invalid argument" > > 2015-02-05T08:20:04Z DEBUG duration: 6 seconds > 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance > # > Attempting to connect to: sb1sys02.mydomain.com:9445 > Exception in LoginPanel(): java.lang.NullPointerException > ERROR: ConfigureCA: LoginPanel() failure > ERROR: unable to create CA > > ### > > 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send > Request:java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > > == > > In short pki-cad fails to start and stops the installer. > > Reinstalling the pki-selinux rpm (found references in some other forum posts) > via yum reinstall pki-selinux is not enough to help. > > The solution is as follows: > > yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent > pki-java-tools pki-symkey pki-util pki-native-tools > which takes components back to 9.0.3-32 > then > yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent > pki-java-tools pki-symkey pki-util pki-native-tools > then (after cleaning up half installed pki components) > ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg > > Then, the CA replication completes successfully. > > Regards, > > Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-ca-9.0.3-38.el6_6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-util-9.0.3-38.el6_6.noarch pki-silent-9.0.3-38.el6_6.noarch Selinux: Permissive when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues. Samples from the ipareplica-ca-install.log... = 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument" 2015-02-05T08:20:04Z DEBUG duration: 6 seconds 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance # Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused == In short pki-cad fails to start and stops the installer. Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project