On 09/27/2011 04:22 PM, Sigbjorn Lie wrote:
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
On 09/27/2011 12:34 AM, Dmitri Pal wrote:
On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:
Hi,
I have a host that refuses to be modified or deleted. I get the
same error from the webui and the cli. I am using F15, FreeIPA
2.1.1 + all updates from the updates repository. I cannot find any
error in any log. I have tried to reboot my ipa servers. All
services seem to be running and have no issues.
The error message I receive is:
* Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
I have looked in the Dogtag Certificate Manager, and I can see the
certificate. It's still valid, and holds the same serial number as
what is displayed using ipa host-show <hostname>.
Any suggestions?
Can you please send the sanitized apache logs?
These are the apache log lines that correspond to # ipa host-disable
<hostname, and # ipa cert-show <serialno>. I have no config files in
my /etc/httpd/conf.d/ directory that contains any reference to the
/ca directory. Also /var/www/html/ca does not exist.
I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file
/etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not
exist on any of my 3 IPA servers.
Should that file contain an alias and proxy rules for /ca/ ?
error_log:
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com:
ping(): SUCCESS
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget
'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does
not exist: /var/www/html/ca
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com:
host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com:
ping(): SUCCESS
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget
'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does
not exist: /var/www/html/ca
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com:
cert_show(u'268369923'): CertificateOperationError
access_log:
192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] "POST
/ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] "POST
/ipa/xml HTTP/1.1" 200 360
192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] "POST
/ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] "POST
/ipa/xml HTTP/1.1" 200 360
I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I
copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port
numbers seemed incorrect. They we're pointing at
ajp://localhost:9447/, which is a port that's not reponding to
anything. "netstat -nat" agrees...nothing there.
"/etc/init.d/pki-cad status" seem to indicate that the correct port is
9443? I changed to port number 9443 in the ipa-pki-proxy.conf file,
and restarted httpd. And attempted to disable the host:
# ipa host-disable bck01.ix.test.com
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An
I/O error occurred during security authorization.
Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca
yields:
Secure Connection Failed
An error occurred during a connection to ipasrv01.ix.test.com:9443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
Am I heading in the incorrect direction here? Or does the pki-cad
service have some cert issues?
9447 was likely the right value.
I think the problem is with the Proxy configuration. We are working on
a script to upgrade a non-proxied PKI (Dogtag) to a proxied version,
but the ports set in the config file need to match the ports that the
pki-ca web app is using.
I'm assuming from what you said above that you can talk to Dogtag
directly of port 9443, but that the proxy is not set correctly for the
HTTPD to AJP communication.
Have your server.xml and web.xml files in the PKI configuration been
modified to listen to AJP? It should be something like:
<Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3"
redirectPort="[PKI_AJP_REDIRECT_PORT]" />
In the server.xml file. THE AJP port has to match what the file in
/etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the HTTPS
port in your case, not the AJP port. AJP should be 9447.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
We (Ade Lee) is working in a script to upgrade an existing Dogtag
instance to use
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
