On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: > On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: > > On 09/27/2011 12:34 AM, Dmitri Pal wrote: > > > On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: > > > > Hi, > > > > > > > > > > > > I have a host that refuses to be modified or deleted. I get the > > > > same error from the webui and the cli. I am using F15, FreeIPA > > > > 2.1.1 + all updates from the updates repository. I cannot find > > > > any error in any log. I have tried to reboot my ipa servers. All > > > > services seem to be running and have no issues. > > > > > > > > > > > > The error message I receive is: > > > > * Certificate operation cannot be completed: Unable to > > > > communicate with CMS (Not Found) > > > > > > > > I have looked in the Dogtag Certificate Manager, and I can see > > > > the certificate. It's still valid, and holds the same serial > > > > number as what is displayed using ipa host-show <hostname>. > > > > > > > > Any suggestions? > > > > > > > > > > > > > > > > > > Can you please send the sanitized apache logs? > > > > > > > > > These are the apache log lines that correspond to # ipa host-disable > > <hostname, and # ipa cert-show <serialno>. I have no config files in > > my /etc/httpd/conf.d/ directory that contains any reference to > > the /ca directory. Also /var/www/html/ca does not exist. > > > > I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a > > file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does > > not exist on any of my 3 IPA servers. > > > > Should that file contain an alias and proxy rules for /ca/ ? > > > > > > error_log: > > [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: [email protected]: > > ping(): SUCCESS > > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget > > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > > [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does > > not exist: /var/www/html/ca > > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: [email protected]: > > host_disable(u'bck01.ix.TEST.com'): CertificateOperationError > > [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: [email protected]: > > ping(): SUCCESS > > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget > > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > > [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does > > not exist: /var/www/html/ca > > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: [email protected]: > > cert_show(u'268369923'): CertificateOperationError > > > > access_log: > > 192.168.210.20 - [email protected] [27/Sep/2011:21:44:00 +0200] > > "POST /ipa/xml HTTP/1.1" 200 259 > > 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] > > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > > 192.168.210.20 - [email protected] [27/Sep/2011:21:44:01 +0200] > > "POST /ipa/xml HTTP/1.1" 200 360 > > 192.168.210.20 - [email protected] [27/Sep/2011:21:44:07 +0200] > > "POST /ipa/xml HTTP/1.1" 200 259 > > 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] > > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > > 192.168.210.20 - [email protected] [27/Sep/2011:21:44:08 +0200] > > "POST /ipa/xml HTTP/1.1" 200 360 > > > > > > > > I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I > copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port > numbers seemed incorrect. They we're pointing at > ajp://localhost:9447/, which is a port that's not reponding to > anything. "netstat -nat" agrees...nothing there. > > "/etc/init.d/pki-cad status" seem to indicate that the correct port is > 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, > and restarted httpd. And attempted to disable the host: > > # ipa host-disable bck01.ix.test.com > ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An > I/O error occurred during security authorization. > > Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca > yields: > > Secure Connection Failed > An error occurred during a connection to ipasrv01.ix.test.com:9443. > SSL peer cannot verify your certificate. > (Error code: ssl_error_bad_cert_alert) > > > Am I heading in the incorrect direction here? Or does the pki-cad > service have some cert issues?
In order for the proxy conf to work you need to have a verion of dogtag that properly supports it. What version of dogtag are you running ? (pki-* packages) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
