The FreeIPA is 3.0.0 server is running on CentOS 6.5. The CA subsystem certificates have all been renewed and will expire not until 2016. In the
I think the problems come from "modifications" a colleague did to /etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and /var/lib/pki-ca/conf/server.xml (without dokumentation, but they have different timestamps) when he wanted to enforce/enable higher level encrytion. I was able to reproduce some of his changes like StrictCypher and sslOptions he did, but I am not sure with the configuraion of the ports of the connectors in /var/lib/pki-ca/conf/server.xml <Connector name="Agent" port="9443... <!-- Port Separation: Admin Secure Port Connector --> <Connector name="Admin" port="9445" ... <!-- Port Separation: EE Secure Port Connector --> <Connector name="EE" port="9444" ... <!-- Port Separation: EE Secure Client Auth Port Connector --> <Connector name="EEClientAuth" port="9446" ... <!-- Define an AJP 1.3 Connector on port 9447 --> <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" /> and the /etc/httpd/conf.d/ipa-pki-proxy.conf # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none # ProxyPassMatch ajp://localhost:9443 # ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 </LocationMatch> # matches for admin port and installer <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none # ProxyPassMatch ajp://localhost:9443 # ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 </LocationMatch> # matches for agent port and eeca port <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require # ProxyPassMatch ajp://localhost:9443 # ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 </LocationMatch> # Only enable this on servers that are not generating a CRL #RewriteRule ^/ipa/crl/MasterCRL.bin https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] Is there somewhere a example configuration? When I deployed the system it was a rather default installation. > Christof Schulze wrote: >> Hello all, >> >> i am running a FreeIPA server on CentOS for 2 years now with mostly >> Ubuntu 12.04 and some Fedora 20 clients. >> >> Since one week (or more) it is not possible any more to install new >> clients (whether ubuntu nor fedora). The Host gets created on the >> IPA-server but it can not create/exchange a Host-Certificate. >> >> The only thing happened (except regular updates) was a complete >> certificate renewal with no obvious problems some weeks ago. >> >> Web-interface and certmonger show the same error. >> >> ipa-getcert list on the new Hosts: >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server. Certificate operation cannot be completed: FAILURE (Invalid >> Request)). >> stuck: yes > > Given the timeline I'd guess that your CA subsystem certificates have > expired. > > On the IPA master run: getcert list (not ipa-getcert) > > This will show the current status of things. > > What version of IPA is this? > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project