[Freeipa-users] bug in pki during install of CA replica and workaround/solution

Martin Kosek mkosek at redhat.com
Fri Feb 6 14:39:54 UTC 2015 

On 02/06/2015 06:59 AM, Les Stott wrote:
> Hi,
> 
> I found a bug in the pki packages and CA replica installation.
> 
> Environment:
> Rhel 6.6
> IPA Server 3.0.0-42
> Pki components:
> pki-symkey-9.0.3-38.el6_6.x86_64
> pki-common-9.0.3-38.el6_6.noarch
> pki-setup-9.0.3-38.el6_6.noarch
> pki-selinux-9.0.3-38.el6_6.noarch
> pki-java-tools-9.0.3-38.el6_6.noarch
> pki-ca-9.0.3-38.el6_6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-native-tools-9.0.3-38.el6_6.x86_64
> pki-util-9.0.3-38.el6_6.noarch
> pki-silent-9.0.3-38.el6_6.noarch
> Selinux:
> Permissive
> 
> when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues.
> 
> Samples from the ipareplica-ca-install.log...
> 
> =========
> 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[  OK  ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
> /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument"
> 
> 2015-02-05T08:20:04Z DEBUG   duration: 6 seconds
> 2015-02-05T08:20:04Z DEBUG   [3/16]: configuring certificate server instance
> #############################################
> Attempting to connect to: sb1sys02.mydomain.com:9445
> Exception in LoginPanel(): java.lang.NullPointerException
> ERROR: ConfigureCA: LoginPanel() failure
> ERROR: unable to create CA
> 
> #######################################################################
> 
> 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused
> java.net.ConnectException: Connection refused
> 
> ==========
> 
> In short pki-cad fails to start and stops the installer.
> 
> Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help.
> 
> The solution is as follows:
> 
> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
> which takes components back to 9.0.3-32
> then
> yum -y update  pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
> then (after cleaning up half installed pki components)
> ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> 
> Then, the CA replication completes successfully.
> 
> Regards,
> 
> Les

I saw this one around, e.g. in:

http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html

Did you try reinstalling pki-selinux before ipa-server-install?

Endi/Matthew, do we have a bug/fix for this?

Thanks,
Martin

More information about the Freeipa-users mailing list