[Freeipa-users] Certificate error when modifying/deleting a host

Sigbjorn Lie sigbjorn at nixtra.com
Wed Sep 28 21:03:07 UTC 2011 

On 09/28/2011 03:33 AM, Adam Young wrote:
> After talking with the PKI developer that is fixing this, I found out 
> that one other file needs to be modified:
>
>
> /var/lib/pki-ca/conf/CS.cfg
>
> http.port=8080
> https.port=8443
>
>
>
>
>
> On 09/27/2011 07:55 PM, Adam Young wrote:
>>
>> Siggi,
>>
>> This is my comment in the ticket: 
>> https://fedorahosted.org/freeipa/ticket/1889
>>
>> We are working on a tool in the PKI project that will perform these 
>> steps in an automated fashion.
>>
>>
>> There are three files that need to be addressed.
>>
>> On the tomcat side, the files are in the Tomcat instance managed by 
>> IPA in /var/lib/pki-ca. The first is
>>
>> /var/lib/pki-ca/conf/server.xml
>>
>> It needs the addition:
>>
>> + <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
>>
>> You can place it around line 281, above the comment for the line 
>> <Engine name="Catalina" defaultHost="localhost">
>>
>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
>>
>> For each of the filter entries it needs the code addition below:
>>
>>     <init-param>
>>
>>         <param-name>proxy_port</param-name>
>>         <param-value>443</param-value>
>>
>>     </init-param>
>>
>> + <init-param> + <param-name>proxy_port</param-name> + 
>> <param-value>443</param-value> + </init-param>
>>
>>     <init-param>
>>
>>         <param-name>active</param-name> <param-value>true</param-value>
>>
>>     </init-param>
>>
>>     </filter>
>>
>> The third change is creating a symlink to /etc/pki-ca/proxy.conf in 
>> the directory /etc/httpd/conf.d
>>
>>
>>

Sorry for the late reply.

I have performed the modifications you've suggested to 
/var/lib/pki-ca/conf/server.xml, and  
/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.

In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already 
http.port=8080 and https.port=8443.

I could not find the file /etc/pki-ca/proxy.conf. I did find 
/usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d 
and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447.

Then I restarted ipa: $ ipactl restart

I get a different error now, same error msg both in webui and cli:
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An 
I/O error occurred during security authorization.

What do you suggest doing next? :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110928/bbb7fb1c/attachment.htm>

More information about the Freeipa-users mailing list