Sure. Dogtag is not running in FIPS mode -- it's all dist configs minus 
disabling SSLv3. 

IPA UI and pki-proxy has dist configs, but mod_nss and the default 443 vhost 
does not. The confs for httpd.conf and nss.conf are listed after s_client 
output.

Running s_client on port 9447 just hangs, but I am honestly not sure how an AJP 
connector redirect should behave in a direct connection like that. 

Here's s_client output for 443 and 9444:


##
## apache https ssl init
##
[root@server ~]# openssl s_client -state -verify 10 -msg -connect localhost:443
verify depth is 10
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.2 Handshake [length 00f4], ClientHello
    01 00 00 f0 <snip> 0f 00 01 01
SSL_connect:SSLv2/v3 write client hello A
<<< TLS 1.2 Handshake [length 0057], ServerHello
    02 00 00 53 <snip> 01 00 01 00
SSL_connect:SSLv3 read server hello A
<<< TLS 1.2 Handshake [length 0735], Certificate
    0b 00 07 31 <snip> 40 15 d7 9c
depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority
verify return:1
depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
    0c 00 01 49 <snip> 68 9e 48 fc
SSL_connect:SSLv3 read server key exchange A
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
    0e 00 00 00
SSL_connect:SSLv3 read server done A
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
    10 00 00 42 <snip> 59 56 88 4a
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.2 ChangeCipherSpec [length 0001]
    01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c <snip> 20 07 08 db
SSL_connect:SSLv3 write finished A
---
    70 30 0d 06 <snip> 40 15 d7 9c
depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority
verify return:1
depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
    0c 00 01 49 <snip> 8d 64 cf b1
SSL_connect:SSLv3 flush data
<<< TLS 1.2 ChangeCipherSpec [length 0001]
    01
<<< TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c <snip> 23 1c 06 4b
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
   i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
 1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority
   i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlTCC<snip>gbqsFldU
-----END CERTIFICATE-----
subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2349 bytes and written 399 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 1E191B2FEAC07386328DC9725D9B8589FBCAD4B080CF18A3476C296A76837235
    Session-ID-ctx:
    Master-Key: 
3BF979C72DC402F635E405ADC79A36BEAE2ACC7E4560A4E7CF45B60002DECC65DC46182C81BE4A16381F456573F5E7D5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1440585959
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
##



##
## tomcat post-proxy ssl init
##
[root@server ~]# openssl s_client -state -verify 10 -msg -connect localhost:9444
verify depth is 10
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.2 Handshake [length 00f4], ClientHello
    01 00 00 f0 <snip> 0f 00 01 01
SSL_connect:SSLv2/v3 write client hello A
<<< TLS 1.0 Handshake [length 0051], ServerHello
    02 00 00 4d <snip> 01 00 01 00
SSL_connect:SSLv3 read server hello A
<<< TLS 1.0 Handshake [length 070c], Certificate
    0b 00 07 08 <snip> 40 15 d7 9c
depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority
verify return:1
depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
    0e 00 00 00
SSL_connect:SSLv3 read server done A
>>> TLS 1.0 Handshake [length 0106], ClientKeyExchange
    10 00 01 02 <snip> c0 36 01 46
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
    01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
    14 00 00 0c <snip> bd da 9f be
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.0 ChangeCipherSpec [length 0001]
    01
<<< TLS 1.0 Handshake [length 0010], Finished
    14 00 00 0c <snip> e0 1a ed 80
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
   i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
 1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority
   i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDbDCC<snip>vJ5zjQ==
-----END CERTIFICATE-----
subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1941 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 1F5249D065AE60C8527ED34EDF40BA8B2DF929A1A84FDA3EC3DA5F23A5DE9BBD
    Session-ID-ctx: 
    Master-Key: 
1ABB212506B7D5D156E782265D1ADC35D22102CCD0DFB6AFD4AF3B1B65473EFF535A9D4F7BE0F6AC88F5439ADDAE5F94
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1440586026
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
##


##
## mod_nss conf for reference
##
[root@apollo ~]# grep -Pv '#\s' /etc/httpd/conf.d/nss.conf

LoadModule nss_module modules/libmodnss.so

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
NSSPassPhraseHelper /usr/sbin/nss_pcache

NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400

NSSRandomSeed startup builtin

NSSRenegotiation off
#NSSRenegotiation on

NSSRequireSafeNegotiation off
#NSSRequireSafeNegotiation on

<VirtualHost _default_:443>
    
    ErrorLog /etc/httpd/logs/error_log
    TransferLog /etc/httpd/logs/access_log
    LogLevel debug

    NSSEngine on
    
    #NSSFIPS on

    NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
    
    #NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha
    NSSCipherSuite +ecdhe_rsa_aes_256_sha,+rsa_aes_256_sha
    
    NSSNickname Server-Cert
    
    NSSCertificateDatabase /etc/httpd/alias
    
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        NSSOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        NSSOptions +StdEnvVars
    </Directory>
    
    Include conf.d/ipa-rewrite.conf
    
</VirtualHost>
##

##
## httpd.conf for reference
##
Listen 80
ServerTokens Prod
ServerSignature Off

ServerRoot "/etc/httpd"
PidFile run/httpd.pid

Timeout 60

KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule prefork.c>
    StartServers         8
    MinSpareServers      5
    MaxSpareServers      10
    ServerLimit          256
    MaxClients           256
    MaxRequestsPerChild  4000
</IfModule>

<IfModule worker.c>
    StartServers         5
    MaxClients           256
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadsPerChild      25
    MaxRequestsPerChild  0
</IfModule>

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

Include conf.d/*.conf

User apache
Group apache

ServerAdmin r...@server.internalfqdn.lab
UseCanonicalName Off

DocumentRoot "/var/www/html"

<Directory />
    Options None
    AllowOverride None
</Directory>

<Directory "/var/www/html">
    <LimitExcept GET POST OPTIONS>
         Deny from all
    </LimitExcept>
    Options -Indexes -MultiViews SymLinksifOwnerMatch IncludesNoExec
    AllowOverride None    
    Order allow,deny
    Allow from all
</Directory>

DirectoryIndex index.html index.html.var

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

TypesConfig /etc/mime.types
DefaultType text/plain

EnableMMAP off
EnableSendfile off

LogLevel debug

ErrorLog logs/error_log

LogFormat "%h %a %u %l %t %A %H %m %U \"%r\" %s %>s \"%{Referer}i\" 
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

CustomLog logs/access_log combined

TraceEnable Off

LimitRequestBody 2147483647
LimitRequestFields 200
LimitRequestFieldSize 8190
LimitRequestLine 8190

DefaultLanguage en
AddLanguage en .en
LanguagePriority en
ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

AddHandler type-map var

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        <LimitExcept GET POST OPTIONS>
           Deny from all
        </LimitExcept>
        AllowOverride None
        Options -Indexes IncludesNoExec -MultiViews
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
    </Directory>
</IfModule>
</IfModule>

<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic
</IfModule>

BrowserMatch "^gnome-vfs/1.0" redirect-carefully
##


--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.

________________________________________
From: Fraser Tweedale [ftwee...@redhat.com]
Sent: Monday, August 24, 2015 10:20 AM
To: Arnold, Paul C CTR USARMY PEO STRI (US)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] apache to dogtag (error 4301)

On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI 
(US) wrote:
> I have been beating my head against the keyboard for the past 2 weeks trying
> to figure this one out. I'm hoping I am missing something simple, as my next
> course of action is to completely re-install IPA.
>
>
> This is the primary error I am receiving:
>
> ipa: DEBUG: Caught fault 4301 from server
> https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
> cannot be completed: EXCEPTION (You did not provide a valid certificate for
> this operation)
>
Dogtag raises this exception when it expected but did not receive a
client certificate.  The `ipaCert' certificate from /etc/httpd/alias
is the certificate used by FreeIPA to talk to Dogtag.

If `ipaCert' is not expired, there must be some other reason the
client is not sending the cert.  Is Dogtag in FIPS mode?  Can you
export the certificate and try and connect to the server using,
e.g., `openssl s_client -msg' to debug the handshake?

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to