On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote:
> On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: 
> > On 09/27/2011 12:34 AM, Dmitri Pal wrote: 
> > > On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: 
> > > > Hi,
> > > > 
> > > > 
> > > > I have a host that refuses to be modified or deleted. I get the
> > > > same error from the webui and the cli. I am using F15, FreeIPA
> > > > 2.1.1 + all updates from the updates repository. I cannot find
> > > > any error in any log. I have tried to reboot my ipa servers. All
> > > > services seem to be running and have no issues.
> > > > 
> > > > 
> > > > The error message I receive is:
> > > >       * Certificate operation cannot be completed: Unable to
> > > >         communicate with CMS (Not Found)
> > > > 
> > > > I have looked in the Dogtag Certificate Manager, and I can see
> > > > the certificate. It's still valid, and holds the same serial
> > > > number as what is displayed using ipa host-show <hostname>. 
> > > > 
> > > > Any suggestions?
> > > > 
> > > > 
> > > > 
> > > 
> > > Can you please send the sanitized apache logs?
> > > 
> > 
> > 
> > These are the apache log lines that correspond to # ipa host-disable
> > <hostname, and # ipa cert-show <serialno>. I have no config files in
> > my /etc/httpd/conf.d/ directory that contains any reference to
> > the /ca directory. Also /var/www/html/ca does not exist.
> > 
> > I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a
> > file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does
> > not exist on any of my 3 IPA servers.
> > 
> > Should that file contain an alias and proxy rules for /ca/ ?
> > 
> > 
> > error_log:
> > [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com:
> > ping(): SUCCESS
> > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget
> > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
> > [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does
> > not exist: /var/www/html/ca
> > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com:
> > host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
> > [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com:
> > ping(): SUCCESS
> > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget
> > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
> > [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does
> > not exist: /var/www/html/ca
> > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com:
> > cert_show(u'268369923'): CertificateOperationError
> > 
> > access_log:
> > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200]
> > "POST /ipa/xml HTTP/1.1" 200 259
> > 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200]
> > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
> > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200]
> > "POST /ipa/xml HTTP/1.1" 200 360
> > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200]
> > "POST /ipa/xml HTTP/1.1" 200 259
> > 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200]
> > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
> > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200]
> > "POST /ipa/xml HTTP/1.1" 200 360
> > 
> > 
> > 
> 
> I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I
> copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port
> numbers seemed incorrect. They we're pointing at
> ajp://localhost:9447/, which is a port that's not reponding to
> anything. "netstat -nat" agrees...nothing there.
> 
> "/etc/init.d/pki-cad status" seem to indicate that the correct port is
> 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file,
> and restarted httpd. And attempted to disable the host:
> 
> # ipa host-disable bck01.ix.test.com
> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An
> I/O error occurred during security authorization.
> 
> Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca
> yields:
> 
> Secure Connection Failed
> An error occurred during a connection to ipasrv01.ix.test.com:9443.
> SSL peer cannot verify your certificate.
> (Error code: ssl_error_bad_cert_alert)
> 
> 
> Am I heading in the incorrect direction here? Or does the pki-cad
> service have some cert issues?

In order for the proxy conf to work you need to have a verion of dogtag
that properly supports it.

What version of dogtag are you running ?

(pki-* packages)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to