[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Les Stott
Less at imagine-sw.com
Fri Feb 6 05:59:22 UTC 2015
Hi,
I found a bug in the pki packages and CA replica installation.
Environment:
Rhel 6.6
IPA Server 3.0.0-42
Pki components:
pki-symkey-9.0.3-38.el6_6.x86_64
pki-common-9.0.3-38.el6_6.noarch
pki-setup-9.0.3-38.el6_6.noarch
pki-selinux-9.0.3-38.el6_6.noarch
pki-java-tools-9.0.3-38.el6_6.noarch
pki-ca-9.0.3-38.el6_6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-native-tools-9.0.3-38.el6_6.x86_64
pki-util-9.0.3-38.el6_6.noarch
pki-silent-9.0.3-38.el6_6.noarch
Selinux:
Permissive
when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues.
Samples from the ipareplica-ca-install.log...
=========
2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
/usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument"
2015-02-05T08:20:04Z DEBUG duration: 6 seconds
2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance
#############################################
Attempting to connect to: sb1sys02.mydomain.com:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA
#######################################################################
2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused
==========
In short pki-cad fails to start and stops the installer.
Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help.
The solution is as follows:
yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
which takes components back to 9.0.3-32
then
yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
then (after cleaning up half installed pki components)
ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
Then, the CA replication completes successfully.
Regards,
Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150206/fffc1ab5/attachment.htm>
More information about the Freeipa-users
mailing list