Re: [Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
christof.schu...@ww.uni-erlangen.de wrote: The FreeIPA is 3.0.0 server is running on CentOS 6.5. The CA subsystem certificates have all been renewed and will expire not until 2016. In the I think the problems come from modifications a colleague did to /etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and /var/lib/pki-ca/conf/server.xml (without dokumentation, but they have different timestamps) when he wanted to enforce/enable higher level encrytion. I was able to reproduce some of his changes like StrictCypher and sslOptions he did, but I am not sure with the configuraion of the ports of the connectors in /var/lib/pki-ca/conf/server.xml Connector name=Agent port=9443... !-- Port Separation: Admin Secure Port Connector -- Connector name=Admin port=9445 ... !-- Port Separation: EE Secure Port Connector -- Connector name=EE port=9444 ... !-- Port Separation: EE Secure Client Auth Port Connector -- Connector name=EEClientAuth port=9446 ... !-- Define an AJP 1.3 Connector on port 9447 -- Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / and the /etc/httpd/conf.d/ipa-pki-proxy.conf # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for admin port and installer LocationMatch ^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for agent port and eeca port LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # Only enable this on servers that are not generating a CRL #RewriteRule ^/ipa/crl/MasterCRL.bin https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL [L,R=301,NC] Is there somewhere a example configuration? When I deployed the system it was a rather default installation. I've attached the config files from one of my working 3.0.0 masters. rob Christof Schulze wrote: Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for admin port and installer LocationMatch ^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:9447
[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Debug Log from server as Attachment C. Schuze [16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz mgr: {2}. [16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz mgr: {2}. [16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet:service() uri = //ca/eeca/ca/profileSubmitSSLClient [16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='cert_request' value='-BEGIN NEW CERTIFICATE REQUEST- MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm * KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ /Tfh+zAN4gEEDVHWa1avLr5bckXYIA== -END NEW CERTIFICATE REQUEST-' [16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='xml' value='true' [16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet: caProfileSubmitSSLClient start to service. [16/Oct/2014:10:15:02][TP-Processor3]: xmlOutput true [16/Oct/2014:10:15:02][TP-Processor3]: Start of ProfileSubmitServlet Input Parameters [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter cert_request='-BEGIN NEW CERTIFICATE REQUEST- MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm * KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ /Tfh+zAN4gEEDVHWa1avLr5bckXYIA== -END NEW CERTIFICATE REQUEST-' [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter xml='true' [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [16/Oct/2014:10:15:02][TP-Processor3]: End of ProfileSubmitServlet Input Parameters [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: start serving [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: SubId=profile [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: isRenewal false [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: profileId caIPAserviceCert [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: authenticator raCertAuth found [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet:setCredentialsIntoContext() authIds` null [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmistServlet: set Inputs into profile Context [16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: set sslClientCertProvider [16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthentication: start [16/Oct/2014:10:15:02][TP-Processor3]: authenticator instance name is raCertAuth [16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got provider [16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: retrieving client certificate [16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got certificates [16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn() [16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true [16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true [16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2 [16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3 [16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn() [16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true [16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true [16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2 [16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3 [16/Oct/2014:10:15:02][TP-Processor3]: check if ipara is in group Registration Manager Agents [16/Oct/2014:10:15:02][TP-Processor3]: UGSubsystem.isMemberOf() using new lookup code [16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn() [16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected:
Re: [Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
Christof Schulze wrote: Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
The FreeIPA is 3.0.0 server is running on CentOS 6.5. The CA subsystem certificates have all been renewed and will expire not until 2016. In the I think the problems come from modifications a colleague did to /etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and /var/lib/pki-ca/conf/server.xml (without dokumentation, but they have different timestamps) when he wanted to enforce/enable higher level encrytion. I was able to reproduce some of his changes like StrictCypher and sslOptions he did, but I am not sure with the configuraion of the ports of the connectors in /var/lib/pki-ca/conf/server.xml Connector name=Agent port=9443... !-- Port Separation: Admin Secure Port Connector -- Connector name=Admin port=9445 ... !-- Port Separation: EE Secure Port Connector -- Connector name=EE port=9444 ... !-- Port Separation: EE Secure Client Auth Port Connector -- Connector name=EEClientAuth port=9446 ... !-- Define an AJP 1.3 Connector on port 9447 -- Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / and the /etc/httpd/conf.d/ipa-pki-proxy.conf # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for admin port and installer LocationMatch ^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for agent port and eeca port LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # Only enable this on servers that are not generating a CRL #RewriteRule ^/ipa/crl/MasterCRL.bin https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL [L,R=301,NC] Is there somewhere a example configuration? When I deployed the system it was a rather default installation. Christof Schulze wrote: Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project