I changed NSSVerifyClient to optional (was undefined) and I can process new certs for the time-being.
-- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: [email protected] [[email protected]] on behalf of Arnold, Paul C CTR USARMY PEO STRI (US) [[email protected]] Sent: Wednesday, August 26, 2015 07:26 AM To: Fraser Tweedale Cc: [email protected] Subject: Re: [Freeipa-users] apache to dogtag (error 4301) Sure. Dogtag is not running in FIPS mode -- it's all dist configs minus disabling SSLv3. IPA UI and pki-proxy has dist configs, but mod_nss and the default 443 vhost does not. The confs for httpd.conf and nss.conf are listed after s_client output. Running s_client on port 9447 just hangs, but I am honestly not sure how an AJP connector redirect should behave in a direct connection like that. Here's s_client output for 443 and 9444: ## ## apache https ssl init ## [root@server ~]# openssl s_client -state -verify 10 -msg -connect localhost:443 verify depth is 10 CONNECTED(00000003) SSL_connect:before/connect initialization >>> TLS 1.2 Handshake [length 00f4], ClientHello 01 00 00 f0 <snip> 0f 00 01 01 SSL_connect:SSLv2/v3 write client hello A <<< TLS 1.2 Handshake [length 0057], ServerHello 02 00 00 53 <snip> 01 00 01 00 SSL_connect:SSLv3 read server hello A <<< TLS 1.2 Handshake [length 0735], Certificate 0b 00 07 31 <snip> 40 15 d7 9c depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority verify return:1 depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab verify return:1 SSL_connect:SSLv3 read server certificate A <<< TLS 1.2 Handshake [length 014d], ServerKeyExchange 0c 00 01 49 <snip> 68 9e 48 fc SSL_connect:SSLv3 read server key exchange A <<< TLS 1.2 Handshake [length 0004], ServerHelloDone 0e 00 00 00 SSL_connect:SSLv3 read server done A >>> TLS 1.2 Handshake [length 0046], ClientKeyExchange 10 00 00 42 <snip> 59 56 88 4a SSL_connect:SSLv3 write client key exchange A >>> TLS 1.2 ChangeCipherSpec [length 0001] 01 SSL_connect:SSLv3 write change cipher spec A >>> TLS 1.2 Handshake [length 0010], Finished 14 00 00 0c <snip> 20 07 08 db SSL_connect:SSLv3 write finished A --- 70 30 0d 06 <snip> 40 15 d7 9c depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority verify return:1 depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab verify return:1 SSL_connect:SSLv3 read server certificate A <<< TLS 1.2 Handshake [length 014d], ServerKeyExchange 0c 00 01 49 <snip> 8d 64 cf b1 SSL_connect:SSLv3 flush data <<< TLS 1.2 ChangeCipherSpec [length 0001] 01 <<< TLS 1.2 Handshake [length 0010], Finished 14 00 00 0c <snip> 23 1c 06 4b SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab i:/O=INTERNALFQDN.LAB/CN=Certificate Authority 1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority i:/O=INTERNALFQDN.LAB/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDlTCC<snip>gbqsFldU -----END CERTIFICATE----- subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2349 bytes and written 399 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 1E191B2FEAC07386328DC9725D9B8589FBCAD4B080CF18A3476C296A76837235 Session-ID-ctx: Master-Key: 3BF979C72DC402F635E405ADC79A36BEAE2ACC7E4560A4E7CF45B60002DECC65DC46182C81BE4A16381F456573F5E7D5 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1440585959 Timeout : 300 (sec) Verify return code: 0 (ok) --- ## ## ## tomcat post-proxy ssl init ## [root@server ~]# openssl s_client -state -verify 10 -msg -connect localhost:9444 verify depth is 10 CONNECTED(00000003) SSL_connect:before/connect initialization >>> TLS 1.2 Handshake [length 00f4], ClientHello 01 00 00 f0 <snip> 0f 00 01 01 SSL_connect:SSLv2/v3 write client hello A <<< TLS 1.0 Handshake [length 0051], ServerHello 02 00 00 4d <snip> 01 00 01 00 SSL_connect:SSLv3 read server hello A <<< TLS 1.0 Handshake [length 070c], Certificate 0b 00 07 08 <snip> 40 15 d7 9c depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority verify return:1 depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab verify return:1 SSL_connect:SSLv3 read server certificate A <<< TLS 1.0 Handshake [length 0004], ServerHelloDone 0e 00 00 00 SSL_connect:SSLv3 read server done A >>> TLS 1.0 Handshake [length 0106], ClientKeyExchange 10 00 01 02 <snip> c0 36 01 46 SSL_connect:SSLv3 write client key exchange A >>> TLS 1.0 ChangeCipherSpec [length 0001] 01 SSL_connect:SSLv3 write change cipher spec A >>> TLS 1.0 Handshake [length 0010], Finished 14 00 00 0c <snip> bd da 9f be SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data <<< TLS 1.0 ChangeCipherSpec [length 0001] 01 <<< TLS 1.0 Handshake [length 0010], Finished 14 00 00 0c <snip> e0 1a ed 80 SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab i:/O=INTERNALFQDN.LAB/CN=Certificate Authority 1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority i:/O=INTERNALFQDN.LAB/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDbDCC<snip>vJ5zjQ== -----END CERTIFICATE----- subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1941 bytes and written 563 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 1F5249D065AE60C8527ED34EDF40BA8B2DF929A1A84FDA3EC3DA5F23A5DE9BBD Session-ID-ctx: Master-Key: 1ABB212506B7D5D156E782265D1ADC35D22102CCD0DFB6AFD4AF3B1B65473EFF535A9D4F7BE0F6AC88F5439ADDAE5F94 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1440586026 Timeout : 300 (sec) Verify return code: 0 (ok) --- ## ## ## mod_nss conf for reference ## [root@apollo ~]# grep -Pv '#\s' /etc/httpd/conf.d/nss.conf LoadModule nss_module modules/libmodnss.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin NSSRenegotiation off #NSSRenegotiation on NSSRequireSafeNegotiation off #NSSRequireSafeNegotiation on <VirtualHost _default_:443> ErrorLog /etc/httpd/logs/error_log TransferLog /etc/httpd/logs/access_log LogLevel debug NSSEngine on #NSSFIPS on NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 #NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha NSSCipherSuite +ecdhe_rsa_aes_256_sha,+rsa_aes_256_sha NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> NSSOptions +StdEnvVars </Directory> Include conf.d/ipa-rewrite.conf </VirtualHost> ## ## ## httpd.conf for reference ## Listen 80 ServerTokens Prod ServerSignature Off ServerRoot "/etc/httpd" PidFile run/httpd.pid Timeout 60 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 <IfModule prefork.c> StartServers 8 MinSpareServers 5 MaxSpareServers 10 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 </IfModule> <IfModule worker.c> StartServers 5 MaxClients 256 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so Include conf.d/*.conf User apache Group apache ServerAdmin [email protected] UseCanonicalName Off DocumentRoot "/var/www/html" <Directory /> Options None AllowOverride None </Directory> <Directory "/var/www/html"> <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept> Options -Indexes -MultiViews SymLinksifOwnerMatch IncludesNoExec AllowOverride None Order allow,deny Allow from all </Directory> DirectoryIndex index.html index.html.var AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> TypesConfig /etc/mime.types DefaultType text/plain EnableMMAP off EnableSendfile off LogLevel debug ErrorLog logs/error_log LogFormat "%h %a %u %l %t %A %H %m %U \"%r\" %s %>s \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog logs/access_log combined TraceEnable Off LimitRequestBody 2147483647 LimitRequestFields 200 LimitRequestFieldSize 8190 LimitRequestLine 8190 DefaultLanguage en AddLanguage en .en LanguagePriority en ForceLanguagePriority Prefer Fallback AddDefaultCharset UTF-8 AddType text/html .shtml AddOutputFilter INCLUDES .shtml AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl AddHandler type-map var Alias /error/ "/var/www/error/" <IfModule mod_negotiation.c> <IfModule mod_include.c> <Directory "/var/www/error"> <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept> AllowOverride None Options -Indexes IncludesNoExec -MultiViews AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all </Directory> </IfModule> </IfModule> <IfModule mod_mime_magic.c> MIMEMagicFile conf/magic </IfModule> BrowserMatch "^gnome-vfs/1.0" redirect-carefully ## -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: Fraser Tweedale [[email protected]] Sent: Monday, August 24, 2015 10:20 AM To: Arnold, Paul C CTR USARMY PEO STRI (US) Cc: [email protected] Subject: Re: [Freeipa-users] apache to dogtag (error 4301) On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: > I have been beating my head against the keyboard for the past 2 weeks trying > to figure this one out. I'm hoping I am missing something simple, as my next > course of action is to completely re-install IPA. > > > This is the primary error I am receiving: > > ipa: DEBUG: Caught fault 4301 from server > https://server.internalfqdn.lab/ipa/session/xml: Certificate operation > cannot be completed: EXCEPTION (You did not provide a valid certificate for > this operation) > Dogtag raises this exception when it expected but did not receive a client certificate. The `ipaCert' certificate from /etc/httpd/alias is the certificate used by FreeIPA to talk to Dogtag. If `ipaCert' is not expired, there must be some other reason the client is not sending the cert. Is Dogtag in FIPS mode? Can you export the certificate and try and connect to the server using, e.g., `openssl s_client -msg' to debug the handshake? Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
