[Freeipa-users] CA replica installation failure

Dan Scott danieljamesscott at gmail.com
Thu Mar 1 16:07:20 UTC 2012


Hi,

I tried with SELinux in permissive mode. It failed in the same way.

Dan

On Wed, Feb 29, 2012 at 16:28, Ade Lee <alee at redhat.com> wrote:
> Its a little strange that its showing up as an error -- it shouldn't if
> they are already set and they are of the right context.
>
> That said, its not really an error - and should not be a problem unless
> its preventing the installation from completing successfully.
>
> Try doing the installation with selinux in permissive mode and see if it
> makes a difference.
>
> Ade
>
> On Wed, 2012-02-29 at 16:18 -0500, Dan Scott wrote:
>> On Wed, Feb 29, 2012 at 16:03, Ade Lee <alee at redhat.com> wrote:
>> > Thats a pretty strange error.  The ports there are supposed to be
>> > reserved for pki_ca_port_t.
>> >
>> > Can you do the following for each of the ports?
>> > semanage port -l |grep 9443
>>
>> [root at fileserver3 ~]# semanage port -l |grep 9443
>> pki_ca_port_t                  tcp      9180, 9701, 9443-9447
>>
>> 944[456] don't match, but they're in the range, so they should be OK, right?
>>
>> Is it really an error? Or is it just indicating that the port has
>> already been set.
>>
>> Thanks,
>>
>> Dan
>>
>> > Its probably best to completely remove the replica. You could try use
>> > dogtag specific commands to uninstall and install the ca - but then the
>> > rest of the ipa install scripts would be confused.
>> >
>> > Ade
>> >
>> > On Wed, 2012-02-29 at 13:44 -0500, Dan Scott wrote:
>> >> Anyone have any suggestions for how I can fix this?
>> >>
>> >> Dan
>> >>
>> >> On Mon, Feb 27, 2012 at 21:06, Dan Scott <danieljamesscott at gmail.com> wrote:
>> >> > Hi,
>> >> >
>> >> > I'm having another problem with replica installation - just the CA this time
>> >> >
>> >> > It looks like there's a problem with SELinux and the pki-ca service:
>> >> >
>> >> > After configuration, the server can be operated by the command:
>> >> >
>> >> >    /bin/systemctl restart pki-cad at pki-ca.service
>> >> >
>> >> >
>> >> > 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux
>> >> > context pki_ca_port_t for 9180.  Port already defined otherwise.
>> >> > [error] Failed setting selinux context pki_ca_port_t for 9701.  Port
>> >> > already defined otherwise.
>> >> > [error] Failed setting selinux context pki_ca_port_t for 9443.  Port
>> >> > already defined otherwise.
>> >> > [error] Failed setting selinux context pki_ca_port_t for 9444.  Port
>> >> > already defined otherwise.
>> >> > [error] Failed setting selinux context pki_ca_port_t for 9446.  Port
>> >> > already defined otherwise.
>> >> > [error] Failed setting selinux context pki_ca_port_t for 9445.  Port
>> >> > already defined otherwise.
>> >> > [error] Failed setting selinux context pki_ca_port_t for 9447.  Port
>> >> > already defined otherwise.
>> >> > [error] FAILED run_command("/bin/systemctl restart
>> >> > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system
>> >> > logs and 'systemctl status' for details."
>> >> >
>> >> > 2012-02-27 20:33:45,729 DEBUG   duration: 6 seconds
>> >> > 2012-02-27 20:33:45,730 DEBUG   [3/11]: configuring certificate server instance
>> >> > [clip]
>> >> > 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64
>> >> > #######################################################################
>> >> > CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph
>> >> > tokenpwd:XXXXXXXX
>> >> > #############################################
>> >> > Attempting to connect to: fileserver3.example.com:9445
>> >> > Exception in LoginPanel(): java.lang.NullPointerException
>> >> > ERROR: ConfigureCA: LoginPanel() failure
>> >> > ERROR: unable to create CA
>> >> >
>> >> > #######################################################################
>> >> >
>> >> > 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send
>> >> > Request:java.net.ConnectException: Connection refused
>> >> > java.net.ConnectException: Connection refused
>> >> >        at java.net.PlainSocketImpl.socketConnect(Native Method)
>> >> >        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
>> >> >        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
>> >> >        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
>> >> >        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
>> >> >        at java.net.Socket.connect(Socket.java:546)
>> >> >        at java.net.Socket.connect(Socket.java:495)
>> >> >        at java.net.Socket.<init>(Socket.java:392)
>> >> >        at java.net.Socket.<init>(Socket.java:235)
>> >> >        at HTTPClient.sslConnect(HTTPClient.java:326)
>> >> >        at ConfigureCA.LoginPanel(ConfigureCA.java:244)
>> >> >        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
>> >> >        at ConfigureCA.main(ConfigureCA.java:1672)
>> >> > java.lang.NullPointerException
>> >> >        at ConfigureCA.LoginPanel(ConfigureCA.java:245)
>> >> >        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
>> >> >        at ConfigureCA.main(ConfigureCA.java:1672)
>> >> >
>> >> > /var/log/messages contains the following:
>> >> >
>> >> > Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104)
>> >> > Connection reset by peer
>> >> > Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid
>> >> > context: system_u:system_r:pki_ca_script_t:s0: Invalid argument
>> >> > Feb 27 20:57:26 localhost systemd[1]: pki-cad at pki-ca.service: control
>> >> > process exited, code=exited status=1
>> >> > Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad at pki-ca.service
>> >> > entered failed state.
>> >> >
>> >> > This is a fresh install of Fedora 16. There are no updates to apply.
>> >> >
>> >> > Any ideas?
>> >> >
>> >> > One more thing. Is there a way to remove and reinstall just the CA? Or
>> >> > do I have to completely remove and re-install the entire IPA replica?
>> >> > i.e. Is there something like ipa-ca-install --uninstall I couldn't see
>> >> > the option anywhere.
>> >> >
>> >> > Thanks,
>> >> >
>> >> > Dan
>> >>
>> >> _______________________________________________
>> >> Freeipa-users mailing list
>> >> Freeipa-users at redhat.com
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>
>




More information about the Freeipa-users mailing list