subject:"\[Freeipa\-users\] Freeipa web UI\: An error has occurred \(IPA Error 4302\: CertificateFormatError\)"

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

2017-04-26 Thread Andrew Krause

I had to let this sit for a few days, but now that I try again I can remove and 
re-add the host (using CLI).  The web UI still presents an error though IPA 
Error 4302: CertificateFormatError   Certificate format error: 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old 
unsupported format.  


This is an error I ran into when working with renewing certs while referring to 
the wrong path for the certificate database (path changed with versions and I 
was unaware).  Why this is happening in the web UI though still eludes me.  The 
test host I removed via CLI and then added with the ipa-client-install command 
still does not show “Enrolled” status when I do a search for it in the UI, and 
the error above is displayed when this host shows up in results, or when I 
click on the link to the host page.  Is it possible that Apache is 
misconfigured?  I’m including my dirsrv and apache access log excerpts from 
when I try to load the host page.  I do see some errors.

Apache:

[Wed Apr 26 14:37:15.047280 2017] [:error] [pid 7300] Bad remote server 
certificate: -8179
[Wed Apr 26 14:37:15.047303 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047364 2017] [:error] [pid 7300] Re-negotiation handshake 
failed: Not accepted by client!?
[Wed Apr 26 14:37:15.047698 2017] [:error] [pid 7295] ipa: INFO: [xmlserver] 
host/clienthost.domain2@domain.com: 
cert_request(u'MIIEJDCCAwwCAQAwUzErMCkGA1UEChMiQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTTEkMCIGA1UEAxMbYmx1cGh4cGFwcDAxLmJsdWUtc2hpZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6cADpaacHWc+aYKkftzRqvhu08fTA0F3z3h5OZGBE7KJYctlA8mnIAB3fxRIr+oh1lVJVV0loQ4rjJrpbB4cyynUiH2Cj+qx6NkLBODpQDkLUV8Cw2CXSREDHqAmghIruCYOKOluwG5EdplYhuDm5ErO/bH0KKgWY/IDA5CCmADUNCWNiJT5CzVLj9aK/IZQp0kKznLCjeSGu7Hndr8PJdKbwsev1p7L3Uld2wAg4BydBTNxew0m9bz6GrT4L8aBofbYcZJF+bm4yrxM4bCvwu+8H37KQlNkpcd8hKASks55yk6UTcttBUA/26TrSM2MmR23JkqGtv2KBANLgiIO9wIDAQABoIIBijB5BgkqhkiG9w0BCRQxbB5qAEkAUABBACAATQBhAGMAaABpAG4AZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAC0AIABiAGwAdQBwAGgAeABwAGEAcABwADAAMQAuAGIAbAB1AGUALQBzAGgAaQBmAHQALgBjAG8AbTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBxwYDVR0RAQEABIG8MIG5oFMGCisGAQQBgjcUAgOgRQxDaG9zdC9ibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb21AQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTaBiBgYrBgEFAgKgWDBWoCQbIkJSRUFLVEhST1VHSFRFQ0hOT0xPR1lTRVJWSUNFUy5DT02hLjAsoAMCAQGhJTAjGwRob3N0GxtibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU8kkbDSyFKalBBieiA0ItRXdIo+8wDQYJKoZIhvcNAQELBQADggEBAJFAdz17m0Ptomeg3m9Gct29HK3uwxdYYDfUbHOJlZuH66renQNcYKyG+qZJxB3FS3wRuEoMw//HbFEtV9sud3ttejalPOz/eplFn2Cq3QHdG3OF1qmagy3Io8dHm38B9S5bSf3tGg7YWGP/uOIEoRAySvP9BLgIYbisGhM6tSP/JAkTX1d7IMCHXyjiWB/ZqpFURojsarQeD+gdyI0XCQ82GnEOBJdzV/uc3/+1mDSStln5CKX1nxbOgS1s198dcsL73BEmxFjjwWbEr1GXvsF48S8csoqN8QqfyCsHpubbXpeFXjby8oHaE8HevYdThfMyPBqtCUjkbsR1JeUdqCc=',
 principal=u'host/clienthost.domain2@domain.com', add=True, 
version=u'2.51'): NetworkError
[Wed Apr 26 14:37:15.047856 2017] [:error] [pid 7300] Bad remote server 
certificate: -8179
[Wed Apr 26 14:37:15.047864 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047869 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.048309 2017] [:error] [pid 7300] Bad remote server 
certificate: -8179
[Wed Apr 26 14:37:15.048317 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.235599 2017] [:warn] [pid 9708] NSSProtocol:  Unknown 
protocol 'tlsv1.2' not supported
[Wed Apr 26 14:37:15.235637 2017] [:error] [pid 9708] Unknown cipher 
aes_128_sha_256
[Wed Apr 26 14:37:15.235641 2017] [:error] [pid 9708] Unknown cipher 
aes_256_sha_256
[Wed Apr 26 14:37:15.235644 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_ecdsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235648 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_ecdsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235652 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235655 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_rsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235658 2017] [:error] [pid 9708] Unknown cipher 
rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235662 2017] [:error] [pid 9708] Unknown cipher 
rsa_aes_256_gcm_sha_384






Dirsrv:

[26/Apr/2017:14:51:54.142433251 -0500] conn=17 op=5296 SRCH 
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:51:54.142776551 -0500] conn=17 op=5296 RESULT err=32 tag=101 
nentries=0 etime=0
[26/Apr/2017:14:51:55.018498792 -0500] conn=8 op=8117 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[26/Apr/2017:14:51:55.018666292 -0500] conn=8 op=8117 RESULT err=0 tag=101 
nentries=1 etime=0

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

2017-04-20 Thread Rob Crittenden

Andrew Krause wrote:
> Sorry for the self bump but no one has any insight on this?
> 
> 
>> On Apr 17, 2017, at 11:31 AM, Andrew Krause 
>>  wrote:
>>
>> Many hosts in our web ui show a null status for “enrolled”.  When you do a 
>> search that includes any of these host objects the web UI posts errors, and 
>> if you click on one of the problem hosts the same error stops anything from 
>> loading on the host page.  
>>
>> I’ve been trying to solve this problem on my own for quite some time and 
>> have not been successful.  It’s impossible to remove the host through the 
>> web UI and using CLI commands seem to remove the entry from IPA (host is not 
>> found with ipa host-find), but it is still visible in the UI.  One thing 
>> that may be common with all of these hosts is that they were enrolled with 
>> our IPA system back while we were running version 3.0 and likely have had 
>> issues for quite some time.  Multiple updates have happened since then, and 
>> all of our hosts added within the last year are working fine.  I suspect 
>> there’s an issue with a path somewhere for a certificate database, but I’m 
>> unable to pinpoint what is going wrong.  

It should not be possible to have different views in the UI and the CLI
since they make the same backend calls. What you'd want to do, hopefully
on a semi-quiet system, is to do a host-find on the CLI and then list
all hosts in the UI and compare the logs in /var/log/httpd/error_log and
look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is
a buffered log so be patient).

They should be doing more or less the exact same set of queries.

Very doubtful that this has anything to do with certs. Anything on the
client would be completely separate from what is on the server.

One thing you may be seeing though is that in 3.0 clients a host
certificate was obtained for it. This was dropped with 4.0, but it
wouldn't affect any visibility on the server.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

2017-04-20 Thread Andrew Krause

Sorry for the self bump but no one has any insight on this?


> On Apr 17, 2017, at 11:31 AM, Andrew Krause 
>  wrote:
> 
> Many hosts in our web ui show a null status for “enrolled”.  When you do a 
> search that includes any of these host objects the web UI posts errors, and 
> if you click on one of the problem hosts the same error stops anything from 
> loading on the host page.  
> 
> I’ve been trying to solve this problem on my own for quite some time and have 
> not been successful.  It’s impossible to remove the host through the web UI 
> and using CLI commands seem to remove the entry from IPA (host is not found 
> with ipa host-find), but it is still visible in the UI.  One thing that may 
> be common with all of these hosts is that they were enrolled with our IPA 
> system back while we were running version 3.0 and likely have had issues for 
> quite some time.  Multiple updates have happened since then, and all of our 
> hosts added within the last year are working fine.  I suspect there’s an 
> issue with a path somewhere for a certificate database, but I’m unable to 
> pinpoint what is going wrong.  
> 
> 
> I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so 
> I can try things without worry...
> 
> 1. Realized we had many certificates that were expired and not renewing with 
> “getcert list” on primary IPA server
> 2. Tried every document I could find on renewing the certificates but was 
> never completely successful (on version 4.1 which is our current in 
> production)
> 3. Upgraded to 4.4 and was actually able to renew all certificates listed on 
> the main IPA server showing current below 
> 4. After having success with #3 I was able to start the CA service without 
> error and everything on the server seems to be working as expected
> 5. Have attempted many variations of removing a problem host and adding it 
> back, but the errors in the web UI persist. 
> 
> Output from "getcert list": 
> 
> Number of certificates and requests being tracked: 8.
> Request ID '20160901214852':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=DOMAIN.COM
>   subject: CN=CA Audit,O=DOMAIN.COM
>   expires: 2018-08-22 22:13:44 UTC
>   key usage: digitalSignature,nonRepudiation
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> Request ID '20160901214853':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=DOMAIN.COM
>   subject: CN=OCSP Subsystem,O=DOMAIN.COM
>   expires: 2018-08-22 21:49:26 UTC
>   eku: id-kp-OCSPSigning
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> Request ID '20160901214854':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=DOMAIN.COM
>   subject: CN=CA Subsystem,O=DOMAIN.COM
>   expires: 2018-08-22 21:49:18 UTC
>   key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>   eku: id-kp-serverAuth,id-kp-clientAuth
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "subsystemCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> Request ID '20160901214855':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate

[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

2017-04-17 Thread Andrew Krause

Many hosts in our web ui show a null status for “enrolled”.  When you do a 
search that includes any of these host objects the web UI posts errors, and if 
you click on one of the problem hosts the same error stops anything from 
loading on the host page.  

I’ve been trying to solve this problem on my own for quite some time and have 
not been successful.  It’s impossible to remove the host through the web UI and 
using CLI commands seem to remove the entry from IPA (host is not found with 
ipa host-find), but it is still visible in the UI.  One thing that may be 
common with all of these hosts is that they were enrolled with our IPA system 
back while we were running version 3.0 and likely have had issues for quite 
some time.  Multiple updates have happened since then, and all of our hosts 
added within the last year are working fine.  I suspect there’s an issue with a 
path somewhere for a certificate database, but I’m unable to pinpoint what is 
going wrong.  


I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so I 
can try things without worry...

1. Realized we had many certificates that were expired and not renewing with 
“getcert list” on primary IPA server
2. Tried every document I could find on renewing the certificates but was never 
completely successful (on version 4.1 which is our current in production)
3. Upgraded to 4.4 and was actually able to renew all certificates listed on 
the main IPA server showing current below 
4. After having success with #3 I was able to start the CA service without 
error and everything on the server seems to be working as expected
5. Have attempted many variations of removing a problem host and adding it 
back, but the errors in the web UI persist. 

Output from "getcert list": 

Number of certificates and requests being tracked: 8.
Request ID '20160901214852':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2018-08-22 22:13:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214853':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2018-08-22 21:49:26 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214854':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2018-08-22 21:49:18 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214855':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2036-09-01 05:05:00 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

4 matches

Site Navigation

Mail list logo

Footer information