I am totally new to PKI but was tasked with getting Dogtag working with SCEP for Cisco routers. This issue was seen on a Fedora 20 "Minimal" installation (yum upgrade done on 2014-01-16) with only 389-ds and Dogtag 10 with their dependencies installed via yum. The CA was installed using pkispawn.

pkicreate was used for the RA but I then ran into issues from the Wizard with the error !Security Domain HTTPS Admin URL not found!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

  ```#!python
  pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ra          \
          -subsystem_type=ra                 \
          -secure_port=12889                 \
          -non_clientauth_secure_port=12890  \
          -unsecure_port=12888               \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ra         \
          -redirect logs=/var/log/pki-ra     \
          -verbose 
  ```

The RA wizard would always give the error even when putting in the correct URL for the CA. I found a resolved ticket that referenced the same general behavior [ticket:797], but didn't find any solution from it.

Working with some people on IRC, we were eventually able to find PR_Connect errors in the /var/log/pki-ra/error_log that pointed to an issue with SELinux:

[Thu Jan 16 17:04:07.347614 2014] [authz_core:debug] [pid 2970:tid 2948545344] mod_authz_core.c(802): [client 192.168.40.172:58609] AH01626: authorization result of <RequireAny>: granted, referer: https://CAhost:12890/ra/admin/console/config/wizard
GET /ca/admin/ca/getStatus HTTP/1.0
port: 8443
addr='CAhost'
family='2'
IP='172.21.1.210'
exit after PR_Connect with error -5966:
GET /ca/admin/ca/getStatus HTTP/1.0
port: 9445
addr='CAhost'
family='2'
IP='172.21.1.210'
exit after PR_Connect with error -5961:

The workaround was to just do setenforce 0 and restart the CA and RA services before running the wizard again.