Re: [Freeipa-users] apache to dogtag (error 4301)
I changed NSSVerifyClient to optional (was undefined) and I can process new certs for the time-being. -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Arnold, Paul C CTR USARMY PEO STRI (US) [paul.c.arnold4@mail.mil] Sent: Wednesday, August 26, 2015 07:26 AM To: Fraser Tweedale Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] apache to dogtag (error 4301) Sure. Dogtag is not running in FIPS mode -- it's all dist configs minus disabling SSLv3. IPA UI and pki-proxy has dist configs, but mod_nss and the default 443 vhost does not. The confs for httpd.conf and nss.conf are listed after s_client output. Running s_client on port 9447 just hangs, but I am honestly not sure how an AJP connector redirect should behave in a direct connection like that. Here's s_client output for 443 and 9444: ## ## apache https ssl init ## [root@server ~]# openssl s_client -state -verify 10 -msg -connect localhost:443 verify depth is 10 CONNECTED(0003) SSL_connect:before/connect initialization TLS 1.2 Handshake [length 00f4], ClientHello 01 00 00 f0 snip 0f 00 01 01 SSL_connect:SSLv2/v3 write client hello A TLS 1.2 Handshake [length 0057], ServerHello 02 00 00 53 snip 01 00 01 00 SSL_connect:SSLv3 read server hello A TLS 1.2 Handshake [length 0735], Certificate 0b 00 07 31 snip 40 15 d7 9c depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority verify return:1 depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab verify return:1 SSL_connect:SSLv3 read server certificate A TLS 1.2 Handshake [length 014d], ServerKeyExchange 0c 00 01 49 snip 68 9e 48 fc SSL_connect:SSLv3 read server key exchange A TLS 1.2 Handshake [length 0004], ServerHelloDone 0e 00 00 00 SSL_connect:SSLv3 read server done A TLS 1.2 Handshake [length 0046], ClientKeyExchange 10 00 00 42 snip 59 56 88 4a SSL_connect:SSLv3 write client key exchange A TLS 1.2 ChangeCipherSpec [length 0001] 01 SSL_connect:SSLv3 write change cipher spec A TLS 1.2 Handshake [length 0010], Finished 14 00 00 0c snip 20 07 08 db SSL_connect:SSLv3 write finished A --- 70 30 0d 06 snip 40 15 d7 9c depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority verify return:1 depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab verify return:1 SSL_connect:SSLv3 read server certificate A TLS 1.2 Handshake [length 014d], ServerKeyExchange 0c 00 01 49 snip 8d 64 cf b1 SSL_connect:SSLv3 flush data TLS 1.2 ChangeCipherSpec [length 0001] 01 TLS 1.2 Handshake [length 0010], Finished 14 00 00 0c snip 23 1c 06 4b SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab i:/O=INTERNALFQDN.LAB/CN=Certificate Authority 1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority i:/O=INTERNALFQDN.LAB/CN=Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIDlTCCsnipgbqsFldU -END CERTIFICATE- subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2349 bytes and written 399 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-SHA Session-ID: 1E191B2FEAC07386328DC9725D9B8589FBCAD4B080CF18A3476C296A76837235 Session-ID-ctx: Master-Key: 3BF979C72DC402F635E405ADC79A36BEAE2ACC7E4560A4E7CF45B60002DECC65DC46182C81BE4A16381F456573F5E7D5 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1440585959 Timeout : 300 (sec) Verify return code: 0 (ok) --- ## ## ## tomcat post-proxy ssl init ## [root@server ~]# openssl s_client -state -verify 10 -msg -connect localhost:9444 verify depth is 10 CONNECTED(0003) SSL_connect:before/connect initialization TLS 1.2 Handshake [length 00f4], ClientHello 01 00 00 f0 snip 0f 00 01 01 SSL_connect:SSLv2/v3 write client hello A TLS 1.0 Handshake [length 0051], ServerHello 02 00 00 4d snip 01 00 01 00 SSL_connect:SSLv3 read server hello A TLS 1.0 Handshake [length 070c], Certificate 0b 00 07 08 snip 40 15 d7 9c depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority verify return:1 depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab verify return:1 SSL_connect:SSLv3 read server certificate A TLS 1.0 Handshake [length 0004], ServerHelloDone 0e 00 00 00 SSL_connect:SSLv3 read server done A TLS 1.0 Handshake [length 0106], ClientKeyExchange 10 00 01 02 snip c0 36 01 46 SSL_connect:SSLv3 write client key exchange A TLS 1.0 ChangeCipherSpec [length 0001] 01 SSL_connect:SSLv3 write change cipher spec A TLS 1.0 Handshake
Re: [Freeipa-users] apache to dogtag (error 4301)
AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all /Directory /IfModule /IfModule IfModule mod_mime_magic.c MIMEMagicFile conf/magic /IfModule BrowserMatch ^gnome-vfs/1.0 redirect-carefully ## -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. From: Fraser Tweedale [ftwee...@redhat.com] Sent: Monday, August 24, 2015 10:20 AM To: Arnold, Paul C CTR USARMY PEO STRI (US) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] apache to dogtag (error 4301) On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: I have been beating my head against the keyboard for the past 2 weeks trying to figure this one out. I'm hoping I am missing something simple, as my next course of action is to completely re-install IPA. This is the primary error I am receiving: ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation) Dogtag raises this exception when it expected but did not receive a client certificate. The `ipaCert' certificate from /etc/httpd/alias is the certificate used by FreeIPA to talk to Dogtag. If `ipaCert' is not expired, there must be some other reason the client is not sending the cert. Is Dogtag in FIPS mode? Can you export the certificate and try and connect to the server using, e.g., `openssl s_client -msg' to debug the handshake? Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] apache to dogtag (error 4301)
On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: I have been beating my head against the keyboard for the past 2 weeks trying to figure this one out. I'm hoping I am missing something simple, as my next course of action is to completely re-install IPA. This is the primary error I am receiving: ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation) Dogtag raises this exception when it expected but did not receive a client certificate. The `ipaCert' certificate from /etc/httpd/alias is the certificate used by FreeIPA to talk to Dogtag. If `ipaCert' is not expired, there must be some other reason the client is not sending the cert. Is Dogtag in FIPS mode? Can you export the certificate and try and connect to the server using, e.g., `openssl s_client -msg' to debug the handshake? Thanks, Fraser It occurs in the IdM UI and from shell. A similar task, ( ~# ipa user-show admin ) works on the same system. This system is a ipa master and the only CA, version 3.0.0-47 (initially 3.0.0-42) -- everything minus certificate tasks works. SELinux is currently in permissive (I am receiving no related AVCs anyway, even with semodule -BD). Background on this issue: it started after putting mod_nss (and apache's nssdb) into FIPS mode. I have since restored the apache NSSdb to a known-good (non-FIPS) backup, but I am still receiving the same certificate errors. The value of 'userCertificate' in 'cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same as the value from certutil for ipaCert. The value of 'cACertificate' from 'cn=CAcert,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same value as the '/etc/ipa/ca.crt' and the value from certutil for INTERNALFQDN.LAB IPA CA. All logs below were run with a valid admin ticket. It is difficult to transport logs from this system (isolated network), so there are quite a lot of logs in this message; I snipped out as much filler as possible. ## ## cert-show from shell ## [root@server ~]# ipa cert-show snip (all python plugins) snip (cookie stuff) ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB Validity: Not Before: Mon Jun 22 13:51:40 2015 UTC Not After: Thu Jun 22 13:51:40 2017 UTC Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB snip Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate snip ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB ipa: DEBUG: handshake complete, peer = 256.256.256.256:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA snip (cookie stuff) ipa: DEBUG: Created connection context.xmlclient Serial number: 0xa ipa: DEBUG: raw: cert_show(u'10') ipa: DEBUG: cert_show(u'10') ipa: INFO: Forwarding 'cert_show' to server u'https://server.internalfqdn.lab/ipa/session/xml' ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: handshake complete, peer = 256.256.256.256:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA snip (cookie stuff) ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation) ## ## (successful) user-show from shell ## [root@server ~]# ipa user-show admin snip (all python plugins) snip (cookie stuff) ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: