Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
I had to let this sit for a few days, but now that I try again I can remove and re-add the host (using CLI). The web UI still presents an error though IPA Error 4302: CertificateFormatError Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old unsupported format. This is an error I ran into when working with renewing certs while referring to the wrong path for the certificate database (path changed with versions and I was unaware). Why this is happening in the web UI though still eludes me. The test host I removed via CLI and then added with the ipa-client-install command still does not show “Enrolled” status when I do a search for it in the UI, and the error above is displayed when this host shows up in results, or when I click on the link to the host page. Is it possible that Apache is misconfigured? I’m including my dirsrv and apache access log excerpts from when I try to load the host page. I do see some errors. Apache: [Wed Apr 26 14:37:15.047280 2017] [:error] [pid 7300] Bad remote server certificate: -8179 [Wed Apr 26 14:37:15.047303 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.047364 2017] [:error] [pid 7300] Re-negotiation handshake failed: Not accepted by client!? [Wed Apr 26 14:37:15.047698 2017] [:error] [pid 7295] ipa: INFO: [xmlserver] host/clienthost.domain2@domain.com: cert_request(u'MIIEJDCCAwwCAQAwUzErMCkGA1UEChMiQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTTEkMCIGA1UEAxMbYmx1cGh4cGFwcDAxLmJsdWUtc2hpZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6cADpaacHWc+aYKkftzRqvhu08fTA0F3z3h5OZGBE7KJYctlA8mnIAB3fxRIr+oh1lVJVV0loQ4rjJrpbB4cyynUiH2Cj+qx6NkLBODpQDkLUV8Cw2CXSREDHqAmghIruCYOKOluwG5EdplYhuDm5ErO/bH0KKgWY/IDA5CCmADUNCWNiJT5CzVLj9aK/IZQp0kKznLCjeSGu7Hndr8PJdKbwsev1p7L3Uld2wAg4BydBTNxew0m9bz6GrT4L8aBofbYcZJF+bm4yrxM4bCvwu+8H37KQlNkpcd8hKASks55yk6UTcttBUA/26TrSM2MmR23JkqGtv2KBANLgiIO9wIDAQABoIIBijB5BgkqhkiG9w0BCRQxbB5qAEkAUABBACAATQBhAGMAaABpAG4AZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAC0AIABiAGwAdQBwAGgAeABwAGEAcABwADAAMQAuAGIAbAB1AGUALQBzAGgAaQBmAHQALgBjAG8AbTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBxwYDVR0RAQEABIG8MIG5oFMGCisGAQQBgjcUAgOgRQxDaG9zdC9ibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb21AQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTaBiBgYrBgEFAgKgWDBWoCQbIkJSRUFLVEhST1VHSFRFQ0hOT0xPR1lTRVJWSUNFUy5DT02hLjAsoAMCAQGhJTAjGwRob3N0GxtibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU8kkbDSyFKalBBieiA0ItRXdIo+8wDQYJKoZIhvcNAQELBQADggEBAJFAdz17m0Ptomeg3m9Gct29HK3uwxdYYDfUbHOJlZuH66renQNcYKyG+qZJxB3FS3wRuEoMw//HbFEtV9sud3ttejalPOz/eplFn2Cq3QHdG3OF1qmagy3Io8dHm38B9S5bSf3tGg7YWGP/uOIEoRAySvP9BLgIYbisGhM6tSP/JAkTX1d7IMCHXyjiWB/ZqpFURojsarQeD+gdyI0XCQ82GnEOBJdzV/uc3/+1mDSStln5CKX1nxbOgS1s198dcsL73BEmxFjjwWbEr1GXvsF48S8csoqN8QqfyCsHpubbXpeFXjby8oHaE8HevYdThfMyPBqtCUjkbsR1JeUdqCc=', principal=u'host/clienthost.domain2@domain.com', add=True, version=u'2.51'): NetworkError [Wed Apr 26 14:37:15.047856 2017] [:error] [pid 7300] Bad remote server certificate: -8179 [Wed Apr 26 14:37:15.047864 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.047869 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.048309 2017] [:error] [pid 7300] Bad remote server certificate: -8179 [Wed Apr 26 14:37:15.048317 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.235599 2017] [:warn] [pid 9708] NSSProtocol: Unknown protocol 'tlsv1.2' not supported [Wed Apr 26 14:37:15.235637 2017] [:error] [pid 9708] Unknown cipher aes_128_sha_256 [Wed Apr 26 14:37:15.235641 2017] [:error] [pid 9708] Unknown cipher aes_256_sha_256 [Wed Apr 26 14:37:15.235644 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_128_gcm_sha_256 [Wed Apr 26 14:37:15.235648 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_256_gcm_sha_384 [Wed Apr 26 14:37:15.235652 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_128_gcm_sha_256 [Wed Apr 26 14:37:15.235655 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_256_gcm_sha_384 [Wed Apr 26 14:37:15.235658 2017] [:error] [pid 9708] Unknown cipher rsa_aes_128_gcm_sha_256 [Wed Apr 26 14:37:15.235662 2017] [:error] [pid 9708] Unknown cipher rsa_aes_256_gcm_sha_384 Dirsrv: [26/Apr/2017:14:51:54.142433251 -0500] conn=17 op=5296 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [26/Apr/2017:14:51:54.142776551 -0500] conn=17 op=5296 RESULT err=32 tag=101 nentries=0 etime=0 [26/Apr/2017:14:51:55.018498792 -0500] conn=8 op=8117 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" [26/Apr/2017:14:51:55.018666292 -0500] conn=8 op=8117 RESULT err=0 tag=101 nentries=1 etime=0
Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Andrew Krause wrote: > Sorry for the self bump but no one has any insight on this? > > >> On Apr 17, 2017, at 11:31 AM, Andrew Krause >>wrote: >> >> Many hosts in our web ui show a null status for “enrolled”. When you do a >> search that includes any of these host objects the web UI posts errors, and >> if you click on one of the problem hosts the same error stops anything from >> loading on the host page. >> >> I’ve been trying to solve this problem on my own for quite some time and >> have not been successful. It’s impossible to remove the host through the >> web UI and using CLI commands seem to remove the entry from IPA (host is not >> found with ipa host-find), but it is still visible in the UI. One thing >> that may be common with all of these hosts is that they were enrolled with >> our IPA system back while we were running version 3.0 and likely have had >> issues for quite some time. Multiple updates have happened since then, and >> all of our hosts added within the last year are working fine. I suspect >> there’s an issue with a path somewhere for a certificate database, but I’m >> unable to pinpoint what is going wrong. It should not be possible to have different views in the UI and the CLI since they make the same backend calls. What you'd want to do, hopefully on a semi-quiet system, is to do a host-find on the CLI and then list all hosts in the UI and compare the logs in /var/log/httpd/error_log and look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is a buffered log so be patient). They should be doing more or less the exact same set of queries. Very doubtful that this has anything to do with certs. Anything on the client would be completely separate from what is on the server. One thing you may be seeing though is that in 3.0 clients a host certificate was obtained for it. This was dropped with 4.0, but it wouldn't affect any visibility on the server. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Sorry for the self bump but no one has any insight on this? > On Apr 17, 2017, at 11:31 AM, Andrew Krause >wrote: > > Many hosts in our web ui show a null status for “enrolled”. When you do a > search that includes any of these host objects the web UI posts errors, and > if you click on one of the problem hosts the same error stops anything from > loading on the host page. > > I’ve been trying to solve this problem on my own for quite some time and have > not been successful. It’s impossible to remove the host through the web UI > and using CLI commands seem to remove the entry from IPA (host is not found > with ipa host-find), but it is still visible in the UI. One thing that may > be common with all of these hosts is that they were enrolled with our IPA > system back while we were running version 3.0 and likely have had issues for > quite some time. Multiple updates have happened since then, and all of our > hosts added within the last year are working fine. I suspect there’s an > issue with a path somewhere for a certificate database, but I’m unable to > pinpoint what is going wrong. > > > I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so > I can try things without worry... > > 1. Realized we had many certificates that were expired and not renewing with > “getcert list” on primary IPA server > 2. Tried every document I could find on renewing the certificates but was > never completely successful (on version 4.1 which is our current in > production) > 3. Upgraded to 4.4 and was actually able to renew all certificates listed on > the main IPA server showing current below > 4. After having success with #3 I was able to start the CA service without > error and everything on the server seems to be working as expected > 5. Have attempted many variations of removing a problem host and adding it > back, but the errors in the web UI persist. > > Output from "getcert list": > > Number of certificates and requests being tracked: 8. > Request ID '20160901214852': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Audit,O=DOMAIN.COM > expires: 2018-08-22 22:13:44 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214853': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=OCSP Subsystem,O=DOMAIN.COM > expires: 2018-08-22 21:49:26 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214854': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Subsystem,O=DOMAIN.COM > expires: 2018-08-22 21:49:18 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214855': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate
[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Many hosts in our web ui show a null status for “enrolled”. When you do a search that includes any of these host objects the web UI posts errors, and if you click on one of the problem hosts the same error stops anything from loading on the host page. I’ve been trying to solve this problem on my own for quite some time and have not been successful. It’s impossible to remove the host through the web UI and using CLI commands seem to remove the entry from IPA (host is not found with ipa host-find), but it is still visible in the UI. One thing that may be common with all of these hosts is that they were enrolled with our IPA system back while we were running version 3.0 and likely have had issues for quite some time. Multiple updates have happened since then, and all of our hosts added within the last year are working fine. I suspect there’s an issue with a path somewhere for a certificate database, but I’m unable to pinpoint what is going wrong. I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so I can try things without worry... 1. Realized we had many certificates that were expired and not renewing with “getcert list” on primary IPA server 2. Tried every document I could find on renewing the certificates but was never completely successful (on version 4.1 which is our current in production) 3. Upgraded to 4.4 and was actually able to renew all certificates listed on the main IPA server showing current below 4. After having success with #3 I was able to start the CA service without error and everything on the server seems to be working as expected 5. Have attempted many variations of removing a problem host and adding it back, but the errors in the web UI persist. Output from "getcert list": Number of certificates and requests being tracked: 8. Request ID '20160901214852': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2018-08-22 22:13:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160901214853': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2018-08-22 21:49:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160901214854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2018-08-22 21:49:18 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160901214855': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2036-09-01 05:05:00 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save