Re: [Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
christof.schu...@ww.uni-erlangen.de wrote: The FreeIPA is 3.0.0 server is running on CentOS 6.5. The CA subsystem certificates have all been renewed and will expire not until 2016. In the I think the problems come from modifications a colleague did to /etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and /var/lib/pki-ca/conf/server.xml (without dokumentation, but they have different timestamps) when he wanted to enforce/enable higher level encrytion. I was able to reproduce some of his changes like StrictCypher and sslOptions he did, but I am not sure with the configuraion of the ports of the connectors in /var/lib/pki-ca/conf/server.xml Connector name=Agent port=9443... !-- Port Separation: Admin Secure Port Connector -- Connector name=Admin port=9445 ... !-- Port Separation: EE Secure Port Connector -- Connector name=EE port=9444 ... !-- Port Separation: EE Secure Client Auth Port Connector -- Connector name=EEClientAuth port=9446 ... !-- Define an AJP 1.3 Connector on port 9447 -- Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / and the /etc/httpd/conf.d/ipa-pki-proxy.conf # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for admin port and installer LocationMatch ^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for agent port and eeca port LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # Only enable this on servers that are not generating a CRL #RewriteRule ^/ipa/crl/MasterCRL.bin https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL [L,R=301,NC] Is there somewhere a example configuration? When I deployed the system it was a rather default installation. I've attached the config files from one of my working 3.0.0 masters. rob Christof Schulze wrote: Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for admin port and installer LocationMatch ^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:9447
[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
Hello all,
i am running a FreeIPA server on CentOS for 2 years now with mostly
Ubuntu 12.04 and some Fedora 20 clients.
Since one week (or more) it is not possible any more to install new
clients (whether ubuntu nor fedora). The Host gets created on the
IPA-server but it can not create/exchange a Host-Certificate.
The only thing happened (except regular updates) was a complete
certificate renewal with no obvious problems some weeks ago.
Web-interface and certmonger show the same error.
ipa-getcert list on the new Hosts:
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: FAILURE (Invalid
Request)).
stuck: yes
Debug Log from server as Attachment
C. Schuze
[16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for
servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz
mgr: {2}.
[16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for
servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz
mgr: {2}.
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet:service() uri =
//ca/eeca/ca/profileSubmitSSLClient
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param
name='cert_request_type' value='pkcs10'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param
name='cert_request' value='-BEGIN NEW CERTIFICATE REQUEST-
MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm
*
KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
/Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
-END NEW CERTIFICATE REQUEST-'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='xml'
value='true'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param
name='profileId' value='caIPAserviceCert'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet: caProfileSubmitSSLClient
start to service.
[16/Oct/2014:10:15:02][TP-Processor3]: xmlOutput true
[16/Oct/2014:10:15:02][TP-Processor3]: Start of ProfileSubmitServlet Input
Parameters
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter
cert_request_type='pkcs10'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter
cert_request='-BEGIN NEW CERTIFICATE REQUEST-
MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm
*
KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
/Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
-END NEW CERTIFICATE REQUEST-'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter
xml='true'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter
profileId='caIPAserviceCert'
[16/Oct/2014:10:15:02][TP-Processor3]: End of ProfileSubmitServlet Input
Parameters
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: start serving
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: SubId=profile
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: isRenewal false
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: profileId
caIPAserviceCert
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: authenticator
raCertAuth found
[16/Oct/2014:10:15:02][TP-Processor3]:
ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmistServlet: set Inputs into
profile Context
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: set
sslClientCertProvider
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthentication: start
[16/Oct/2014:10:15:02][TP-Processor3]: authenticator instance name is raCertAuth
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got provider
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: retrieving
client certificate
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got certificates
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: check if ipara is in group Registration
Manager Agents
[16/Oct/2014:10:15:02][TP-Processor3]: UGSubsystem.isMemberOf() using new
lookup code
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected:
Re: [Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
Christof Schulze wrote: Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
The FreeIPA is 3.0.0 server is running on CentOS 6.5. The CA subsystem certificates have all been renewed and will expire not until 2016. In the I think the problems come from modifications a colleague did to /etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and /var/lib/pki-ca/conf/server.xml (without dokumentation, but they have different timestamps) when he wanted to enforce/enable higher level encrytion. I was able to reproduce some of his changes like StrictCypher and sslOptions he did, but I am not sure with the configuraion of the ports of the connectors in /var/lib/pki-ca/conf/server.xml Connector name=Agent port=9443... !-- Port Separation: Admin Secure Port Connector -- Connector name=Admin port=9445 ... !-- Port Separation: EE Secure Port Connector -- Connector name=EE port=9444 ... !-- Port Separation: EE Secure Client Auth Port Connector -- Connector name=EEClientAuth port=9446 ... !-- Define an AJP 1.3 Connector on port 9447 -- Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / and the /etc/httpd/conf.d/ipa-pki-proxy.conf # VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for admin port and installer LocationMatch ^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # matches for agent port and eeca port LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require #ProxyPassMatch ajp://localhost:9443 #ProxyPassReverse ajp://localhost:9443 ProxyPassMatch ajp://localhost:9447 ProxyPassReverse ajp://localhost:9447 /LocationMatch # Only enable this on servers that are not generating a CRL #RewriteRule ^/ipa/crl/MasterCRL.bin https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL [L,R=301,NC] Is there somewhere a example configuration? When I deployed the system it was a rather default installation. Christof Schulze wrote: Hello all, i am running a FreeIPA server on CentOS for 2 years now with mostly Ubuntu 12.04 and some Fedora 20 clients. Since one week (or more) it is not possible any more to install new clients (whether ubuntu nor fedora). The Host gets created on the IPA-server but it can not create/exchange a Host-Certificate. The only thing happened (except regular updates) was a complete certificate renewal with no obvious problems some weeks ago. Web-interface and certmonger show the same error. ipa-getcert list on the new Hosts: status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Invalid Request)). stuck: yes Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
