[Freeipa-users] Certificate error when modifying/deleting a host

Adam Young ayoung at redhat.com
Tue Sep 27 21:11:41 UTC 2011 

On 09/27/2011 04:22 PM, Sigbjorn Lie wrote:
> On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
>> On 09/27/2011 12:34 AM, Dmitri Pal wrote:
>>> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have a host that refuses to be modified or deleted. I get the 
>>>> same error from the webui and the cli. I am using F15, FreeIPA 
>>>> 2.1.1 + all updates from the updates repository. I cannot find any 
>>>> error in any log. I have tried to reboot my ipa servers. All 
>>>> services seem to be running and have no issues.
>>>>
>>>> The error message I receive is:
>>>>
>>>>   * Certificate operation cannot be completed: Unable to
>>>>     communicate with CMS (Not Found)
>>>>
>>>>
>>>> I have looked in the Dogtag Certificate Manager, and I can see the 
>>>> certificate. It's still valid, and holds the same serial number as 
>>>> what is displayed using ipa host-show <hostname>.
>>>>
>>>> Any suggestions?
>>>>
>>>>
>>>
>>> Can you please send the sanitized apache logs?
>>>
>>
>>
>> These are the apache log lines that correspond to # ipa host-disable 
>> <hostname, and # ipa cert-show <serialno>. I have no config files in 
>> my /etc/httpd/conf.d/ directory that contains any reference to the 
>> /ca directory. Also /var/www/html/ca does not exist.
>>
>> I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file 
>> /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not 
>> exist on any of my 3 IPA servers.
>>
>> Should that file contain an alias and proxy rules for /ca/ ?
>>
>>
>> error_log:
>> [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
>> ping(): SUCCESS
>> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 
>> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
>> [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does 
>> not exist: /var/www/html/ca
>> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
>> host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
>> [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
>> ping(): SUCCESS
>> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 
>> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
>> [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does 
>> not exist: /var/www/html/ca
>> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
>> cert_show(u'268369923'): CertificateOperationError
>>
>> access_log:
>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] "POST 
>> /ipa/xml HTTP/1.1" 200 259
>> 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST 
>> /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] "POST 
>> /ipa/xml HTTP/1.1" 200 360
>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] "POST 
>> /ipa/xml HTTP/1.1" 200 259
>> 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST 
>> /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] "POST 
>> /ipa/xml HTTP/1.1" 200 360
>>
>>
>>
>
> I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I 
> copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port 
> numbers seemed incorrect. They we're pointing at 
> ajp://localhost:9447/, which is a port that's not reponding to 
> anything. "netstat -nat" agrees...nothing there.
>
> "/etc/init.d/pki-cad status" seem to indicate that the correct port is 
> 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, 
> and restarted httpd. And attempted to disable the host:
>
> # ipa host-disable bck01.ix.test.com
> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An 
> I/O error occurred during security authorization.
>
> Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca 
> yields:
>
> Secure Connection Failed
> An error occurred during a connection to ipasrv01.ix.test.com:9443.
> SSL peer cannot verify your certificate.
> (Error code: ssl_error_bad_cert_alert)
>
>
> Am I heading in the incorrect direction here? Or does the pki-cad 
> service have some cert issues?

9447 was likely the right value.

I think the problem is with the Proxy configuration.  We are working on 
a script to upgrade  a non-proxied PKI (Dogtag) to a proxied version,  
but the ports set in the config file need to match the ports that the 
pki-ca web app is using.

I'm assuming from what you said above that you can talk to Dogtag 
directly of port 9443,  but that the proxy is not set correctly for the 
HTTPD to AJP  communication.

Have your server.xml and web.xml files in the PKI  configuration been 
modified to listen to AJP?  It should be something like:


<Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" 
redirectPort="[PKI_AJP_REDIRECT_PORT]" />

In the server.xml file.    THE AJP port has to match what the file in 
/etc/httpd/conf.d/proxy.conf   file says.  9443 is, I think the HTTPS 
port in your case, not the AJP port.  AJP should be  9447.



>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
We (Ade Lee) is working in a script to upgrade an existing Dogtag 
instance to use
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110927/221db7d1/attachment.htm>

More information about the Freeipa-users mailing list