<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E8229F9.3050400@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/27/2011 12:34 AM, Dmitri Pal wrote:
<blockquote cite="mid:4E80FDE9.2010504@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E7FA1E6.6050409@nixtra.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<div style="width: auto; min-height: 54.4px; height: auto;"
class="ui-dialog-content ui-widget-content"
id="error_dialog">
<p>Hi,<br>
</p>
<p>I have a host that refuses to be modified or deleted. I
get the same error from the webui and the cli. I am using
F15, FreeIPA 2.1.1 + all updates from the updates
repository. I cannot find any error in any log. I have
tried to reboot my ipa servers. All services seem to be
running and have no issues.<br>
</p>
The error message I receive is:<br>
<ul style="" class="error-container">
<li>Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)</li>
</ul>
<br>
I have looked in the Dogtag Certificate Manager, and I can
see the certificate. It's still valid, and holds the same
serial number as what is displayed using ipa host-show
<hostname>. <br>
<br>
Any suggestions?<br>
<br>
<br>
</div>
</blockquote>
<br>
Can you please send the sanitized apache logs?<br>
<br>
</blockquote>
<br>
<br>
These are the apache log lines that correspond to # ipa
host-disable <hostname, and # ipa cert-show <serialno>. I
have no config files in my /etc/httpd/conf.d/ directory that
contains any reference to the /ca directory. Also /var/www/html/ca
does not exist.<br>
<br>
I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a
file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does
not exist on any of my 3 IPA servers.<br>
<br>
Should that file contain an alias and proxy rules for /ca/ ?<br>
<br>
<br>
error_log:<br>
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a> ping():
SUCCESS<br>
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget '<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial">https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial</a>'<br>
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File
does not exist: /var/www/html/ca<br>
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a>
host_disable(u'bck01.ix.TEST.com'): CertificateOperationError<br>
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a> ping():
SUCCESS<br>
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget '<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial">https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial</a>'<br>
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File
does not exist: /var/www/html/ca<br>
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a>
cert_show(u'268369923'): CertificateOperationError<br>
<br>
access_log:<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259<br>
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 404 314<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259<br>
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 404 314<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360<br>
<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
</pre>
</blockquote>
<br>
I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I
copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port
numbers seemed incorrect. They we're pointing at
ajp://localhost:9447/, which is a port that's not reponding to
anything. "netstat -nat" agrees...nothing there.<br>
<br>
"/etc/init.d/pki-cad status" seem to indicate that the correct port
is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf
file, and restarted httpd. And attempted to disable the host:<br>
<br>
# ipa host-disable bck01.ix.test.com<br>
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO)
An I/O error occurred during security authorization.<br>
<br>
Using Firefox to access
<a class="moz-txt-link-freetext" href="https://ipasrv01.ix.test.com:9443/ca/agent/ca">https://ipasrv01.ix.test.com:9443/ca/agent/ca</a> yields:<br>
<br>
Secure Connection Failed<br>
An error occurred during a connection to ipasrv01.ix.test.com:9443.<br>
SSL peer cannot verify your certificate.<br>
(Error code: ssl_error_bad_cert_alert)<br>
<br>
<br>
Am I heading in the incorrect direction here? Or does the pki-cad
service have some cert issues?<br>
<br>
<pre wrap="">
</pre>
</body>
</html>