[Freeipa-users] Certificate error when modifying/deleting a host
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Sep 27 20:54:42 UTC 2011
On 09/27/2011 10:46 PM, Simo Sorce wrote:
> On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote:
>> On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
>>> On 09/27/2011 12:34 AM, Dmitri Pal wrote:
>>>> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>> I have a host that refuses to be modified or deleted. I get the
>>>>> same error from the webui and the cli. I am using F15, FreeIPA
>>>>> 2.1.1 + all updates from the updates repository. I cannot find
>>>>> any error in any log. I have tried to reboot my ipa servers. All
>>>>> services seem to be running and have no issues.
>>>>>
>>>>>
>>>>> The error message I receive is:
>>>>> * Certificate operation cannot be completed: Unable to
>>>>> communicate with CMS (Not Found)
>>>>>
>>>>> I have looked in the Dogtag Certificate Manager, and I can see
>>>>> the certificate. It's still valid, and holds the same serial
>>>>> number as what is displayed using ipa host-show<hostname>.
>>>>>
>>>>> Any suggestions?
>>>>>
>>>>>
>>>>>
>>>> Can you please send the sanitized apache logs?
>>>>
>>>
>>> These are the apache log lines that correspond to # ipa host-disable
>>> <hostname, and # ipa cert-show<serialno>. I have no config files in
>>> my /etc/httpd/conf.d/ directory that contains any reference to
>>> the /ca directory. Also /var/www/html/ca does not exist.
>>>
>>> I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a
>>> file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does
>>> not exist on any of my 3 IPA servers.
>>>
>>> Should that file contain an alias and proxy rules for /ca/ ?
>>>
>>>
>>> error_log:
>>> [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM:
>>> ping(): SUCCESS
>>> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget
>>> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
>>> [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does
>>> not exist: /var/www/html/ca
>>> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM:
>>> host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
>>> [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM:
>>> ping(): SUCCESS
>>> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget
>>> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
>>> [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does
>>> not exist: /var/www/html/ca
>>> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM:
>>> cert_show(u'268369923'): CertificateOperationError
>>>
>>> access_log:
>>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200]
>>> "POST /ipa/xml HTTP/1.1" 200 259
>>> 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200]
>>> "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
>>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200]
>>> "POST /ipa/xml HTTP/1.1" 200 360
>>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200]
>>> "POST /ipa/xml HTTP/1.1" 200 259
>>> 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200]
>>> "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
>>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200]
>>> "POST /ipa/xml HTTP/1.1" 200 360
>>>
>>>
>>>
>> I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I
>> copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port
>> numbers seemed incorrect. They we're pointing at
>> ajp://localhost:9447/, which is a port that's not reponding to
>> anything. "netstat -nat" agrees...nothing there.
>>
>> "/etc/init.d/pki-cad status" seem to indicate that the correct port is
>> 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file,
>> and restarted httpd. And attempted to disable the host:
>>
>> # ipa host-disable bck01.ix.test.com
>> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An
>> I/O error occurred during security authorization.
>>
>> Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca
>> yields:
>>
>> Secure Connection Failed
>> An error occurred during a connection to ipasrv01.ix.test.com:9443.
>> SSL peer cannot verify your certificate.
>> (Error code: ssl_error_bad_cert_alert)
>>
>>
>> Am I heading in the incorrect direction here? Or does the pki-cad
>> service have some cert issues?
> In order for the proxy conf to work you need to have a verion of dogtag
> that properly supports it.
>
> What version of dogtag are you running ?
>
> (pki-* packages)
>
> Simo.
>
pki-setup-9.0.12-1.fc15.noarch
pki-util-9.0.12-1.fc15.noarch
pki-silent-9.0.12-1.fc15.noarch
pki-symkey-9.0.12-1.fc15.x86_64
pki-selinux-9.0.12-1.fc15.noarch
pki-java-tools-9.0.12-1.fc15.noarch
pki-ca-9.0.12-1.fc15.noarch
pki-native-tools-9.0.12-1.fc15.x86_64
pki-common-9.0.12-1.fc15.noarch
More information about the Freeipa-users
mailing list