On 09/28/2011 05:59 PM, Sigbjorn Lie wrote:
On 09/28/2011 11:35 PM, Adam Young wrote:
On 09/28/2011 05:03 PM, Sigbjorn Lie wrote:
On 09/28/2011 03:33 AM, Adam Young wrote:
After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified:



On 09/27/2011 07:55 PM, Adam Young wrote:


This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889

We are working on a tool in the PKI project that will perform these steps in an automated fashion.

There are three files that need to be addressed.

On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is


It needs the addition:

+ <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

You can place it around line 281, above the comment for the line <Engine name="Catalina" defaultHost="localhost">

Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml

For each of the filter entries it needs the code addition below:




+ <init-param> + <param-name>proxy_port</param-name> + <param-value>443</param-value> + </init-param>





The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d

Sorry for the late reply.

I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.

In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443.

I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447.

Then I restarted ipa: $ ipactl restart

I get a different error now, same error msg both in webui and cli:
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization.

What do you suggest doing next? :)


oot@vm-077 conf.d]# diff nss.conf.orig nss.conf
< NSSRenegotiation off
> NSSRenegotiation on
< NSSRequireSafeNegotiation off
> NSSRequireSafeNegotiation on

As I said, we are scripting this. I should have had you hold out for the script.


I see Ade Lee has posted the script now. I'll have a go at the script tomorrow.


Freeipa-users mailing list
Well, that script assumes the machine is in a certain state. I am not sure if you machine now qualifies. You shold only need the nss.conf change, as that seems to match the error you are seeing.

Before you make any changes, try pointing  a browser at


And you should get a valid response:  XML with a tag <ChainBase64>

This shows that Dogtag is being proxied correctly. The error you are seeing is due to the need to "renegotiate" the SSL handshake for the authed sections of the PKI-CA.

Freeipa-users mailing list

Reply via email to