[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Martin Kosek
mkosek at redhat.com
Fri Feb 6 14:39:54 UTC 2015
On 02/06/2015 06:59 AM, Les Stott wrote:
> Hi,
>
> I found a bug in the pki packages and CA replica installation.
>
> Environment:
> Rhel 6.6
> IPA Server 3.0.0-42
> Pki components:
> pki-symkey-9.0.3-38.el6_6.x86_64
> pki-common-9.0.3-38.el6_6.noarch
> pki-setup-9.0.3-38.el6_6.noarch
> pki-selinux-9.0.3-38.el6_6.noarch
> pki-java-tools-9.0.3-38.el6_6.noarch
> pki-ca-9.0.3-38.el6_6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-native-tools-9.0.3-38.el6_6.x86_64
> pki-util-9.0.3-38.el6_6.noarch
> pki-silent-9.0.3-38.el6_6.noarch
> Selinux:
> Permissive
>
> when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues.
>
> Samples from the ipareplica-ca-install.log...
>
> =========
> 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
> /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument"
>
> 2015-02-05T08:20:04Z DEBUG duration: 6 seconds
> 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance
> #############################################
> Attempting to connect to: sb1sys02.mydomain.com:9445
> Exception in LoginPanel(): java.lang.NullPointerException
> ERROR: ConfigureCA: LoginPanel() failure
> ERROR: unable to create CA
>
> #######################################################################
>
> 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused
> java.net.ConnectException: Connection refused
>
> ==========
>
> In short pki-cad fails to start and stops the installer.
>
> Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help.
>
> The solution is as follows:
>
> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
> which takes components back to 9.0.3-32
> then
> yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools
> then (after cleaning up half installed pki components)
> ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
>
> Then, the CA replication completes successfully.
>
> Regards,
>
> Les
I saw this one around, e.g. in:
http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html
Did you try reinstalling pki-selinux before ipa-server-install?
Endi/Matthew, do we have a bug/fix for this?
Thanks,
Martin
More information about the Freeipa-users
mailing list