subject:"\[Freeipa\-users\] bug in pki during install of CA replica and workaround\/solution"

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED

2015-02-24 Thread Les Stott

Have resolved the issues below by completely removing FreeIPA and starting from 
scratch.

Here is the procedure to completely remove FreeIPA so you can start again. 

ipa-server-install --uninstall
certutil -d /etc/httpd/alias -D -n "Server-Cert"
certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA"
certutil -d /etc/httpd/alias -D -n ipaCert
certutil -d /etc/httpd/alias -D -n Signing-Cert
yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client 
ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 
389-ds-base-libs
userdel pkisrv
userdel pkiuser
rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger 
/etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki 
/etc/ipa /var/log/ipa*
reboot

Now you have a clean slate.

Then install works as normal for IPA Server, Replica and CA Replica 
installations.

Hope this saves someone else time in the future.

Regards,

Les

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Wednesday, 18 February 2015 6:27 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
> 
> Has anyone got any ideas on the below errors I am now receiving?
> 
> Thanks in advance,
> 
> Les
> 
> > >
> > > I will test this out (update to 3.7.19-260) next week as I've got a
> > > few more CA replicas to setup.
> > >
> >
> > I'm still having issues. Different one this time.
> >
> > As I have previously worked around the install of CA replicas in my
> > production Production environment as above, I went to setup CA
> > replication in DR (both environments are completely separate).
> >
> > Make sure I did a yum update for all packages, including
> > selinux-policy, and also making sure all needed modules were loaded in
> > httpd.conf I proceeded to retry installation of CA replication. However, it
> failed with the following:
> >
> > Note: sb2sys01.domain.com is the replica I am trying to install
> >
> > (abbreviated below)
> >
> > #
> > Attempting to connect to: sb2sys01.domain.com:9445 Connected.
> > Posting Query =
> >
> https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&;
> > op=next&xml=true&__password=&path=ca.p12
> > RESPONSE STATUS:  HTTP/1.1 200 OK
> > RESPONSE HEADER:  Server: Apache-Coyote/1.1 RESPONSE HEADER:
> > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER:  Date:
> > Fri,
> > 13 Feb 2015 08:09:35 GMT RESPONSE HEADER:  Connection: close  > version="1.0" encoding="UTF-8"?>
> > 
> > 
> >   admin/console/config/restorekeycertpanel.vm
> >   
> >   failure
> >   
> >   The pkcs12 file is not correct.
> >   19
> > Error in RestoreKeyCertPanel(): updateStatus returns failure
> > ERROR: ConfigureCA: RestoreKeyCertPanel() failure
> > ERROR: unable to create CA
> >
> > 
> >
> > In /var/log/pki-ca/catalina.out I see...
> >
> > CMS Warning: FAILURE: Cannot build CA chain. Error
> > java.security.cert.CertificateException: Certificate is not a PKCS #11
> > certificate|FAILURE: authz instance DirAclAuthz initialization failed
> > certificate|and
> > skipped, error=Property internaldb.ldapconn.port missing value| Server
> > is started.
> >
> > Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with
> > a working system).
> >
> > grep DirAclAuthz /etc/pki-ca/CS.cfg
> > authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth
> > z authz.instance.DirAclAuthz.ldap=internaldb
> > authz.instance.DirAclAuthz.pluginName=DirAclAuthz
> > authz.instance.DirAclAuthz.ldap._000=##
> > authz.instance.DirAclAuthz.ldap._001=## Internal Database
> > authz.instance.DirAclAuthz.ldap._002=##
> > authz.instance.DirAclAuthz.ldap.basedn=
> > authz.instance.DirAclAuthz.ldap.maxConns=15
> > authz.instance.DirAclAuthz.ldap.minConns=3
> > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
> > authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
> > authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP
> > Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
> > authz.instance.DirAclAuthz.ldap.ldapconn.host=
> > authz.instance.DirAclAuthz.ldap.

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-17 Thread Les Stott

Has anyone got any ideas on the below errors I am now receiving?

Thanks in advance,

Les

> >
> > I will test this out (update to 3.7.19-260) next week as I've got a
> > few more CA replicas to setup.
> >
> 
> I'm still having issues. Different one this time.
> 
> As I have previously worked around the install of CA replicas in my
> production Production environment as above, I went to setup CA replication
> in DR (both environments are completely separate).
> 
> Make sure I did a yum update for all packages, including selinux-policy, and
> also making sure all needed modules were loaded in httpd.conf I proceeded
> to retry installation of CA replication. However, it failed with the 
> following:
> 
> Note: sb2sys01.domain.com is the replica I am trying to install
> 
> (abbreviated below)
> 
> #
> Attempting to connect to: sb2sys01.domain.com:9445 Connected.
> Posting Query =
> https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&;
> op=next&xml=true&__password=&path=ca.p12
> RESPONSE STATUS:  HTTP/1.1 200 OK
> RESPONSE HEADER:  Server: Apache-Coyote/1.1 RESPONSE HEADER:
> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER:  Date: Fri,
> 13 Feb 2015 08:09:35 GMT RESPONSE HEADER:  Connection: close  version="1.0" encoding="UTF-8"?>
> 
> 
>   admin/console/config/restorekeycertpanel.vm
>   
>   failure
>   
>   The pkcs12 file is not correct.
>   19
> Error in RestoreKeyCertPanel(): updateStatus returns failure
> ERROR: ConfigureCA: RestoreKeyCertPanel() failure
> ERROR: unable to create CA
> 
> 
> 
> In /var/log/pki-ca/catalina.out I see...
> 
> CMS Warning: FAILURE: Cannot build CA chain. Error
> java.security.cert.CertificateException: Certificate is not a PKCS #11
> certificate|FAILURE: authz instance DirAclAuthz initialization failed and
> skipped, error=Property internaldb.ldapconn.port missing value| Server is
> started.
> 
> Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a
> working system).
> 
> grep DirAclAuthz /etc/pki-ca/CS.cfg
> authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
> authz.instance.DirAclAuthz.ldap=internaldb
> authz.instance.DirAclAuthz.pluginName=DirAclAuthz
> authz.instance.DirAclAuthz.ldap._000=##
> authz.instance.DirAclAuthz.ldap._001=## Internal Database
> authz.instance.DirAclAuthz.ldap._002=##
> authz.instance.DirAclAuthz.ldap.basedn=
> authz.instance.DirAclAuthz.ldap.maxConns=15
> authz.instance.DirAclAuthz.ldap.minConns=3
> authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
> authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
> authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP
> Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
> authz.instance.DirAclAuthz.ldap.ldapconn.host=
> authz.instance.DirAclAuthz.ldap.ldapconn.port=
> authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
> authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
> 
> The CA cert looks ok to me on the master. It does get copied to the replica in
> /usr/share/ipa/html/ca.crt
> 
> I don't see any errors in httpd error or access logs on the master or the
> intended replica.
> 
> The ipa-pki-proxy.conf config has the profilesubmit section.
> 
> # matches for ee port
>  "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI
> nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR
> ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
> 
> I can confirm that pki-cad does start (but is unconfigured) and that it does
> listen on port 9445.
> 
> # netstat -apn |grep 9445
> tcp0  0 :::9445 :::*
> LISTEN  31264/java
> # service pki-cad status
> pki-ca (pid 31264) is running...   [  OK  ]
> 'pki-ca' must still be CONFIGURED!
> (see /var/log/pki-ca-install.log)
> 
> I am not sure what to try next.
> 
> Appreciate any help to get over this error.
> 
> Thanks,
> 
> Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-13 Thread Les Stott

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Saturday, 7 February 2015 9:39 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
> 
> 
> 
> > -Original Message-
> > From: Endi Sukma Dewata [mailto:edew...@redhat.com]
> > Sent: Saturday, 7 February 2015 1:53 AM
> > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
> > Subject: Re: [Freeipa-users] bug in pki during install of CA replica
> > and workaround/solution
> >
> > On 2/6/2015 8:39 AM, Martin Kosek wrote:
> > >> Reinstalling the pki-selinux rpm (found references in some other
> > >> forum
> > posts) via yum reinstall pki-selinux is not enough to help.
> > >>
> > >> The solution is as follows:
> > >>
> > >> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
> > >> pki-java-tools pki-symkey pki-util pki-native-tools which takes
> > >> components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
> > >> pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
> > >> pki-native-tools then (after cleaning up half installed pki
> > >> components) ipa-ca-install
> > >> /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> > >>
> > >> Then, the CA replication completes successfully.
> > >>
> > >> Regards,
> > >>
> > >> Les
> > >
> > > I saw this one around, e.g. in:
> > >
> > > http://www.redhat.com/archives/freeipa-devel/2014-
> > May/msg00507.html
> > >
> > > Did you try reinstalling pki-selinux before ipa-server-install?
> > >
> > > Endi/Matthew, do we have a bug/fix for this?
> > >
> > > Thanks,
> > > Martin
> > >
> >
> > Yes, we have a ticket for this:
> > https://fedorahosted.org/pki/ticket/1243
> > The default selinux-policy is version 3.7.19-231. It needs to be
> > updated to at least version 3.7.19-260.
> >
> > --
> > Endi S. Dewata
> 
> I will test this out (update to 3.7.19-260) next week as I've got a few more 
> CA
> replicas to setup.
> 

I'm still having issues. Different one this time.

As I have previously worked around the install of CA replicas in my production 
Production environment as above, I went to setup CA replication in DR (both 
environments are completely separate).

Make sure I did a yum update for all packages, including selinux-policy, and 
also making sure all needed modules were loaded in httpd.conf I proceeded to 
retry installation of CA replication. However, it failed with the following:

Note: sb2sys01.domain.com is the replica I am trying to install

(abbreviated below)

#
Attempting to connect to: sb2sys01.domain.com:9445
Connected.
Posting Query = 
https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=&path=ca.p12
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER:  Date: Fri, 13 Feb 2015 08:09:35 GMT
RESPONSE HEADER:  Connection: close

  admin/console/config/restorekeycertpanel.vm

  failure

  The pkcs12 file is not correct.
  19
Error in RestoreKeyCertPanel(): updateStatus returns failure
ERROR: ConfigureCA: RestoreKeyCertPanel() failure
ERROR: unable to create CA

In /var/log/pki-ca/catalina.out I see...

CMS Warning: FAILURE: Cannot build CA chain. Error 
java.security.cert.CertificateException: Certificate is not a PKCS #11 
certificate|FAILURE: authz instance DirAclAuthz initialization failed and 
skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.

Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a 
working system).

grep DirAclAuthz /etc/pki-ca/CS.cfg
authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
authz.instance.DirAclAuthz.ldap=internaldb
authz.instance.DirAclAuthz.pluginName=DirAclAuthz
authz.instance.DirAclAuthz.ldap._000=##
authz.instance.DirAclAuthz.ldap._001=## Internal Database
authz.instance.DirAclAuthz.ldap._002=##
authz.instance.DirAclAuthz.ldap.basedn=
authz.instance.DirAclAuthz.ldap.maxConns=15
authz.instance.DirAclAuthz.ldap.minConns=3
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database
authz.

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Les Stott



> -Original Message-
> From: Endi Sukma Dewata [mailto:edew...@redhat.com]
> Sent: Saturday, 7 February 2015 1:53 AM
> To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
> 
> On 2/6/2015 8:39 AM, Martin Kosek wrote:
> >> Reinstalling the pki-selinux rpm (found references in some other forum
> posts) via yum reinstall pki-selinux is not enough to help.
> >>
> >> The solution is as follows:
> >>
> >> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
> >> pki-java-tools pki-symkey pki-util pki-native-tools which takes
> >> components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
> >> pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
> >> pki-native-tools then (after cleaning up half installed pki
> >> components) ipa-ca-install
> >> /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> >>
> >> Then, the CA replication completes successfully.
> >>
> >> Regards,
> >>
> >> Les
> >
> > I saw this one around, e.g. in:
> >
> > http://www.redhat.com/archives/freeipa-devel/2014-
> May/msg00507.html
> >
> > Did you try reinstalling pki-selinux before ipa-server-install?
> >
> > Endi/Matthew, do we have a bug/fix for this?
> >
> > Thanks,
> > Martin
> >
> 
> Yes, we have a ticket for this:
> https://fedorahosted.org/pki/ticket/1243
> The default selinux-policy is version 3.7.19-231. It needs to be updated to at
> least version 3.7.19-260.
> 
> --
> Endi S. Dewata

I will test this out (update to 3.7.19-260) next week as I've got a few more CA 
replicas to setup.

Thanks,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Les Stott



> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Saturday, 7 February 2015 1:40 AM
> To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
> 
> On 02/06/2015 06:59 AM, Les Stott wrote:
> > Hi,
> >
> > I found a bug in the pki packages and CA replica installation.
> >
> > Environment:
> > Rhel 6.6
> > IPA Server 3.0.0-42
> > Pki components:
> > pki-symkey-9.0.3-38.el6_6.x86_64
> > pki-common-9.0.3-38.el6_6.noarch
> > pki-setup-9.0.3-38.el6_6.noarch
> > pki-selinux-9.0.3-38.el6_6.noarch
> > pki-java-tools-9.0.3-38.el6_6.noarch
> > pki-ca-9.0.3-38.el6_6.noarch
> > ipa-pki-common-theme-9.0.3-7.el6.noarch
> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > pki-native-tools-9.0.3-38.el6_6.x86_64
> > pki-util-9.0.3-38.el6_6.noarch
> > pki-silent-9.0.3-38.el6_6.noarch
> > Selinux:
> > Permissive
> >
> > when running a CA replica installation it fails because pki-cad cannot start
> due to selinux context issues.
> >
> > Samples from the ipareplica-ca-install.log...
> >
> > =
> > 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK
> ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
> > /usr/bin/runcon: invalid context:
> unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument"
> >
> > 2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
> > 2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server
> instance
> > #
> > Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in
> > LoginPanel(): java.lang.NullPointerException
> > ERROR: ConfigureCA: LoginPanel() failure
> > ERROR: unable to create CA
> >
> >
> ###
> ###
> > #
> >
> > 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send
> > Request:java.net.ConnectException: Connection refused
> > java.net.ConnectException: Connection refused
> >
> > ==
> >
> > In short pki-cad fails to start and stops the installer.
> >
> > Reinstalling the pki-selinux rpm (found references in some other forum
> posts) via yum reinstall pki-selinux is not enough to help.
> >
> > The solution is as follows:
> >
> > yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
> > pki-java-tools pki-symkey pki-util pki-native-tools which takes
> > components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
> > pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
> > pki-native-tools then (after cleaning up half installed pki
> > components) ipa-ca-install
> > /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> >
> > Then, the CA replication completes successfully.
> >
> > Regards,
> >
> > Les
> 
> I saw this one around, e.g. in:
> 
> http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html
> 
> Did you try reinstalling pki-selinux before ipa-server-install?
> 

Yes, tried this. But it was not enough.


> Endi/Matthew, do we have a bug/fix for this?
> 
> Thanks,
> Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Endi Sukma Dewata


On 2/6/2015 8:39 AM, Martin Kosek wrote:

Reinstalling the pki-selinux rpm (found references in some other forum posts) 
via yum reinstall pki-selinux is not enough to help.

The solution is as follows:

yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools
which takes components back to 9.0.3-32
then
yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent 
pki-java-tools pki-symkey pki-util pki-native-tools
then (after cleaning up half installed pki components)
ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

Then, the CA replication completes successfully.

Regards,

Les


I saw this one around, e.g. in:

http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html

Did you try reinstalling pki-selinux before ipa-server-install?

Endi/Matthew, do we have a bug/fix for this?

Thanks,
Martin



Yes, we have a ticket for this:
https://fedorahosted.org/pki/ticket/1243
The default selinux-policy is version 3.7.19-231. It needs to be updated 
to at least version 3.7.19-260.


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-06 Thread Martin Kosek

On 02/06/2015 06:59 AM, Les Stott wrote:
> Hi,
> 
> I found a bug in the pki packages and CA replica installation.
> 
> Environment:
> Rhel 6.6
> IPA Server 3.0.0-42
> Pki components:
> pki-symkey-9.0.3-38.el6_6.x86_64
> pki-common-9.0.3-38.el6_6.noarch
> pki-setup-9.0.3-38.el6_6.noarch
> pki-selinux-9.0.3-38.el6_6.noarch
> pki-java-tools-9.0.3-38.el6_6.noarch
> pki-ca-9.0.3-38.el6_6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-native-tools-9.0.3-38.el6_6.x86_64
> pki-util-9.0.3-38.el6_6.noarch
> pki-silent-9.0.3-38.el6_6.noarch
> Selinux:
> Permissive
> 
> when running a CA replica installation it fails because pki-cad cannot start 
> due to selinux context issues.
> 
> Samples from the ipareplica-ca-install.log...
> 
> =
> 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK  ]/service 
> pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
> /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: 
> Invalid argument"
> 
> 2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
> 2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server instance
> #
> Attempting to connect to: sb1sys02.mydomain.com:9445
> Exception in LoginPanel(): java.lang.NullPointerException
> ERROR: ConfigureCA: LoginPanel() failure
> ERROR: unable to create CA
> 
> ###
> 
> 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send 
> Request:java.net.ConnectException: Connection refused
> java.net.ConnectException: Connection refused
> 
> ==
> 
> In short pki-cad fails to start and stops the installer.
> 
> Reinstalling the pki-selinux rpm (found references in some other forum posts) 
> via yum reinstall pki-selinux is not enough to help.
> 
> The solution is as follows:
> 
> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent 
> pki-java-tools pki-symkey pki-util pki-native-tools
> which takes components back to 9.0.3-32
> then
> yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent 
> pki-java-tools pki-symkey pki-util pki-native-tools
> then (after cleaning up half installed pki components)
> ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> 
> Then, the CA replication completes successfully.
> 
> Regards,
> 
> Les

I saw this one around, e.g. in:

http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html

Did you try reinstalling pki-selinux before ipa-server-install?

Endi/Matthew, do we have a bug/fix for this?

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-05 Thread Les Stott

Hi,

I found a bug in the pki packages and CA replica installation.

Environment:
Rhel 6.6
IPA Server 3.0.0-42
Pki components:
pki-symkey-9.0.3-38.el6_6.x86_64
pki-common-9.0.3-38.el6_6.noarch
pki-setup-9.0.3-38.el6_6.noarch
pki-selinux-9.0.3-38.el6_6.noarch
pki-java-tools-9.0.3-38.el6_6.noarch
pki-ca-9.0.3-38.el6_6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-native-tools-9.0.3-38.el6_6.x86_64
pki-util-9.0.3-38.el6_6.noarch
pki-silent-9.0.3-38.el6_6.noarch
Selinux:
Permissive

when running a CA replica installation it fails because pki-cad cannot start 
due to selinux context issues.

Samples from the ipareplica-ca-install.log...

=
2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK  ]/service 
pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
/usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: 
Invalid argument"

2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server instance
#
Attempting to connect to: sb1sys02.mydomain.com:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA

###

2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send 
Request:java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused

==

In short pki-cad fails to start and stops the installer.

Reinstalling the pki-selinux rpm (found references in some other forum posts) 
via yum reinstall pki-selinux is not enough to help.

The solution is as follows:

yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools
which takes components back to 9.0.3-32
then
yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent 
pki-java-tools pki-symkey pki-util pki-native-tools
then (after cleaning up half installed pki components)
ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

Then, the CA replication completes successfully.

Regards,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

[Freeipa-users] bug in pki during install of CA replica and workaround/solution

8 matches

Site Navigation

Mail list logo

Footer information