On 09/27/2011 04:22 PM, Sigbjorn Lie wrote:
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
On 09/27/2011 12:34 AM, Dmitri Pal wrote:
On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:


Hi,

I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues.

The error message I receive is:

  * Certificate operation cannot be completed: Unable to
    communicate with CMS (Not Found)


I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show <hostname>.

Any suggestions?



Can you please send the sanitized apache logs?



These are the apache log lines that correspond to # ipa host-disable <hostname, and # ipa cert-show <serialno>. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist.

I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers.

Should that file contain an alias and proxy rules for /ca/ ?


error_log:
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError

access_log:
192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360




I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. "netstat -nat" agrees...nothing there.

"/etc/init.d/pki-cad status" seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host:

# ipa host-disable bck01.ix.test.com
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization.

Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields:

Secure Connection Failed
An error occurred during a connection to ipasrv01.ix.test.com:9443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)


Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues?

9447 was likely the right value.

I think the problem is with the Proxy configuration. We are working on a script to upgrade a non-proxied PKI (Dogtag) to a proxied version, but the ports set in the config file need to match the ports that the pki-ca web app is using.

I'm assuming from what you said above that you can talk to Dogtag directly of port 9443, but that the proxy is not set correctly for the HTTPD to AJP communication.

Have your server.xml and web.xml files in the PKI configuration been modified to listen to AJP? It should be something like:


<Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />

In the server.xml file. THE AJP port has to match what the file in /etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the HTTPS port in your case, not the AJP port. AJP should be 9447.








_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
We (Ade Lee) is working in a script to upgrade an existing Dogtag instance to use
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to