[Freeipa-users] bug in pki during install of CA replica and workaround/solution

Les Stott Less at imagine-sw.com
Fri Feb 6 05:59:22 UTC 2015 

Hi,

I found a bug in the pki packages and CA replica installation.

Environment:
Rhel 6.6
IPA Server 3.0.0-42
Pki components:
pki-symkey-9.0.3-38.el6_6.x86_64
pki-common-9.0.3-38.el6_6.noarch
pki-setup-9.0.3-38.el6_6.noarch
pki-selinux-9.0.3-38.el6_6.noarch
pki-java-tools-9.0.3-38.el6_6.noarch
pki-ca-9.0.3-38.el6_6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-native-tools-9.0.3-38.el6_6.x86_64
pki-util-9.0.3-38.el6_6.noarch
pki-silent-9.0.3-38.el6_6.noarch
Selinux:
Permissive

when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues.

Samples from the ipareplica-ca-install.log...

=========
2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK  ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
/usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument"

2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server instance
#############################################
Attempting to connect to: sb1sys02.mydomain.com:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA

#######################################################################

2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused

==========

In short pki-cad fails to start and stops the installer.

Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help.

The solution is as follows:

yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
which takes components back to 9.0.3-32
then
yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
then (after cleaning up half installed pki components)
ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg

Then, the CA replication completes successfully.

Regards,

Les

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150206/fffc1ab5/attachment.htm>

More information about the Freeipa-users mailing list