Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) /etc/httpd/conf.d/nss.conf: oot@vm-077 conf.d]# diff nss.conf.orig nss.conf 74c74 NSSRenegotiation off --- NSSRenegotiation on 78c78 NSSRequireSafeNegotiation off --- NSSRequireSafeNegotiation on As I said, we are scripting this. I should have had you hold out for the script. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/28/2011 11:35 PM, Adam Young wrote: On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) /etc/httpd/conf.d/nss.conf: oot@vm-077 conf.d]# diff nss.conf.orig nss.conf 74c74 NSSRenegotiation off --- NSSRenegotiation on 78c78 NSSRequireSafeNegotiation off --- NSSRequireSafeNegotiation on As I said, we are scripting this. I should have had you hold out for the script. :) I see Ade Lee has posted the script now. I'll have a go at the script tomorrow. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/28/2011 05:59 PM, Sigbjorn Lie wrote: On 09/28/2011 11:35 PM, Adam Young wrote: On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) /etc/httpd/conf.d/nss.conf: oot@vm-077 conf.d]# diff nss.conf.orig nss.conf 74c74 NSSRenegotiation off --- NSSRenegotiation on 78c78 NSSRequireSafeNegotiation off --- NSSRequireSafeNegotiation on As I said, we are scripting this. I should have had you hold out for the script. :) I see Ade Lee has posted the script now. I'll have a go at the script tomorrow. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Well, that script assumes the machine is in a certain state. I am not sure if you machine now qualifies. You shold only need the nss.conf change, as that seems to match the error you are seeing. Before you make any changes, try pointing a browser at https://hostname/ca/ee/ca/getCertChain And you should get a valid response: XML with a tag ChainBase64 This shows that Dogtag is being proxied correctly. The error you are seeing is due to the need to renegotiate the SSL handshake for the authed sections of the PKI-CA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable hostname, and # ipa cert-show serialno. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] POST /ipa/xml HTTP/1.1 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] POST /ipa/xml HTTP/1.1 200 360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable hostname, and # ipa cert-show serialno. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] POST /ipa/xml HTTP/1.1 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] POST /ipa/xml HTTP/1.1 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. netstat -nat agrees...nothing there. /etc/init.d/pki-cad status seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable hostname, and # ipa cert-show serialno. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] POST /ipa/xml HTTP/1.1 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] POST /ipa/xml HTTP/1.1 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. netstat -nat agrees...nothing there. /etc/init.d/pki-cad status seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? In order for the proxy conf to work you need to have a verion of dogtag that properly supports it. What version of dogtag are you running ? (pki-* packages) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 10:46 PM, Simo Sorce wrote: On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-showhostname. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable hostname, and # ipa cert-showserialno. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] POST /ipa/xml HTTP/1.1 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] POST /ipa/xml HTTP/1.1 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. netstat -nat agrees...nothing there. /etc/init.d/pki-cad status seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? In order for the proxy conf to work you need to have a verion of dogtag that properly supports it. What version of dogtag are you running ? (pki-* packages) Simo. pki-setup-9.0.12-1.fc15.noarch pki-util-9.0.12-1.fc15.noarch pki-silent-9.0.12-1.fc15.noarch pki-symkey-9.0.12-1.fc15.x86_64 pki-selinux-9.0.12-1.fc15.noarch pki-java-tools-9.0.12-1.fc15.noarch pki-ca-9.0.12-1.fc15.noarch pki-native-tools-9.0.12-1.fc15.x86_64 pki-common-9.0.12-1.fc15.noarch ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 04:22 PM, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable hostname, and # ipa cert-show serialno. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] POST /ipa/xml HTTP/1.1 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] POST /ipa/xml HTTP/1.1 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. netstat -nat agrees...nothing there. /etc/init.d/pki-cad status seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? 9447 was likely the right value. I think the problem is with the Proxy configuration. We are working on a script to upgrade a non-proxied PKI (Dogtag) to a proxied version, but the ports set in the config file need to match the ports that the pki-ca web app is using. I'm assuming from what you said above that you can talk to Dogtag directly of port 9443, but that the proxy is not set correctly for the HTTPD to AJP communication. Have your server.xml and web.xml files in the PKI configuration been modified to listen to AJP? It should be something like: Connector port=[PKI_AJP_PORT] protocol=AJP/1.3 redirectPort=[PKI_AJP_REDIRECT_PORT] / In the server.xml file.THE AJP port has to match what the file in /etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the HTTPS port in your case, not the AJP port. AJP should be 9447. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We (Ade Lee) is working in a script to upgrade an existing Dogtag instance to use
Re: [Freeipa-users] Certificate error when modifying/deleting a host
Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/26/2011 12:01 AM, Sigbjorn Lie wrote: On 09/25/2011 11:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? There was more than one host. I notice that the hosts with an issue, is the Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui yields the same error message. However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15. Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui. Ticket opened: https://bugzilla.redhat.com/show_bug.cgi?id=741458 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? Can you please send the sanitized apache logs? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/25/2011 11:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? There was more than one host. I notice that the hosts with an issue, is the Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui yields the same error message. However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15. Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
