[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Les Stott
Less at imagine-sw.com
Fri Feb 6 22:34:43 UTC 2015
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Saturday, 7 February 2015 1:40 AM
> To: Les Stott; freeipa-users at redhat.com; Matthew Harmsen; Endi Dewata
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
>
> On 02/06/2015 06:59 AM, Les Stott wrote:
> > Hi,
> >
> > I found a bug in the pki packages and CA replica installation.
> >
> > Environment:
> > Rhel 6.6
> > IPA Server 3.0.0-42
> > Pki components:
> > pki-symkey-9.0.3-38.el6_6.x86_64
> > pki-common-9.0.3-38.el6_6.noarch
> > pki-setup-9.0.3-38.el6_6.noarch
> > pki-selinux-9.0.3-38.el6_6.noarch
> > pki-java-tools-9.0.3-38.el6_6.noarch
> > pki-ca-9.0.3-38.el6_6.noarch
> > ipa-pki-common-theme-9.0.3-7.el6.noarch
> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > pki-native-tools-9.0.3-38.el6_6.x86_64
> > pki-util-9.0.3-38.el6_6.noarch
> > pki-silent-9.0.3-38.el6_6.noarch
> > Selinux:
> > Permissive
> >
> > when running a CA replica installation it fails because pki-cad cannot start
> due to selinux context issues.
> >
> > Samples from the ipareplica-ca-install.log...
> >
> > =========
> > 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK
> ]/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca:
> > /usr/bin/runcon: invalid context:
> unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument"
> >
> > 2015-02-05T08:20:04Z DEBUG duration: 6 seconds
> > 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server
> instance
> > #############################################
> > Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in
> > LoginPanel(): java.lang.NullPointerException
> > ERROR: ConfigureCA: LoginPanel() failure
> > ERROR: unable to create CA
> >
> >
> ###################################################################
> ###
> > #
> >
> > 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send
> > Request:java.net.ConnectException: Connection refused
> > java.net.ConnectException: Connection refused
> >
> > ==========
> >
> > In short pki-cad fails to start and stops the installer.
> >
> > Reinstalling the pki-selinux rpm (found references in some other forum
> posts) via yum reinstall pki-selinux is not enough to help.
> >
> > The solution is as follows:
> >
> > yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
> > pki-java-tools pki-symkey pki-util pki-native-tools which takes
> > components back to 9.0.3-32 then yum -y update pki-selinux pki-ca
> > pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
> > pki-native-tools then (after cleaning up half installed pki
> > components) ipa-ca-install
> > /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> >
> > Then, the CA replication completes successfully.
> >
> > Regards,
> >
> > Les
>
> I saw this one around, e.g. in:
>
> http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html
>
> Did you try reinstalling pki-selinux before ipa-server-install?
>
Yes, tried this. But it was not enough.
> Endi/Matthew, do we have a bug/fix for this?
>
> Thanks,
> Martin
More information about the Freeipa-users
mailing list