<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/28/2011 05:59 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E8398CC.4070704@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/28/2011 11:35 PM, Adam Young wrote:
<blockquote cite="mid:4E839321.9020101@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/28/2011 05:03 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E838B8B.4020601@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
On 09/28/2011 03:33 AM, Adam Young wrote:
<blockquote cite="mid:4E827957.4080606@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
After talking with the PKI developer that is fixing this, I
found out that one other file needs to be modified:<br>
<br>
<br>
<p> /var/lib/pki-ca/conf/CS.cfg </p>
<p> http.port=8080 <br>
https.port=8443 </p>
<br>
<br>
<br>
<br>
On 09/27/2011 07:55 PM, Adam Young wrote:
<blockquote cite="mid:4E826272.7050100@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="comment">
<p>Siggi,<br>
</p>
<p>This is my comment in the ticket: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/1889">https://fedorahosted.org/freeipa/ticket/1889</a><br>
</p>
<p>We are working on a tool in the PKI project that will
perform these steps in an automated fashion.<br>
</p>
<p><br>
</p>
<p>There are three files that need to be addressed. </p>
<p> On the tomcat side, the files are in the Tomcat
instance managed by IPA in /var/lib/pki-ca. The first
is </p>
<p> /var/lib/pki-ca/conf/server.xml </p>
<p> It needs the addition: </p>
<p> + <Connector port="9447" protocol="AJP/1.3"
redirectPort="9444" /> </p>
<p> You can place it around line 281, above the comment
for the line <Engine name="Catalina"
defaultHost="localhost"> </p>
<p> Second is:
/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml </p>
<p> For each of the filter entries it needs the code
addition below: </p>
<blockquote>
<p> <init-param> </p>
<blockquote>
<p> <param-name>proxy_port</param-name>
<param-value>443</param-value> </p>
</blockquote>
<p> </init-param> </p>
</blockquote>
<p> + <init-param> +
<param-name>proxy_port</param-name> +
<param-value>443</param-value> +
</init-param> </p>
<blockquote>
<p> <init-param> </p>
<blockquote>
<p> <param-name>active</param-name>
<param-value>true</param-value> </p>
</blockquote>
<p> </init-param> </p>
</blockquote>
<blockquote>
<p> </filter> </p>
</blockquote>
<p> The third change is creating a symlink to
/etc/pki-ca/proxy.conf in the directory
/etc/httpd/conf.d </p>
</div>
<br>
<br>
</blockquote>
</blockquote>
<br>
Sorry for the late reply. <br>
<br>
I have performed the modifications you've suggested to
/var/lib/pki-ca/conf/server.xml, and
/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.<br>
<br>
In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're
already http.port=8080 and https.port=8443.<br>
<br>
I could not find the file /etc/pki-ca/proxy.conf. I did find
/usr/share/pki/ca/conf/proxy.conf, I copied this into
/etc/httpd/conf.d and replaced
[PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447.<br>
<br>
Then I restarted ipa: $ ipactl restart<br>
<br>
I get a different error now, same error msg both in webui and
cli:<br>
ipa: ERROR: Certificate format error: [Errno -8192]
(SEC_ERROR_IO) An I/O error occurred during security
authorization.<br>
<br>
What do you suggest doing next? :)<br>
</blockquote>
<br>
/etc/httpd/conf.d/nss.conf:<br>
<br>
oot@vm-077 conf.d]# diff nss.conf.orig nss.conf<br>
74c74<br>
< NSSRenegotiation off<br>
---<br>
> NSSRenegotiation on<br>
78c78<br>
< NSSRequireSafeNegotiation off<br>
---<br>
> NSSRequireSafeNegotiation on<br>
<br>
<br>
As I said, we are scripting this. I should have had you hold
out for the script.<br>
</blockquote>
<br>
:)<br>
<br>
I see Ade Lee has posted the script now. I'll have a go at the
script tomorrow. <br>
<br>
Rgds,<br>
Siggi<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
Well, that script assumes the machine is in a certain state. I am
not sure if you machine now qualifies. You shold only need the
nss.conf change, as that seems to match the error you are seeing.<br>
<br>
Before you make any changes, try pointing a browser at<br>
<br>
<a class="moz-txt-link-freetext" href="https://hostname/ca/ee/ca/getCertChain">https://hostname/ca/ee/ca/getCertChain</a><br>
<br>
And you should get a valid response: XML with a tag
<ChainBase64><br>
<br>
This shows that Dogtag is being proxied correctly. The error you
are seeing is due to the need to "renegotiate" the SSL handshake for
the authed sections of the PKI-CA.<br>
<br>
<br>
<br>
<br>
</body>
</html>