[Freeipa-users] Certificate error when modifying/deleting a host
Adam Young
ayoung at redhat.com
Wed Sep 28 21:35:29 UTC 2011
On 09/28/2011 05:03 PM, Sigbjorn Lie wrote:
> On 09/28/2011 03:33 AM, Adam Young wrote:
>> After talking with the PKI developer that is fixing this, I found out
>> that one other file needs to be modified:
>>
>>
>> /var/lib/pki-ca/conf/CS.cfg
>>
>> http.port=8080
>> https.port=8443
>>
>>
>>
>>
>>
>> On 09/27/2011 07:55 PM, Adam Young wrote:
>>>
>>> Siggi,
>>>
>>> This is my comment in the ticket:
>>> https://fedorahosted.org/freeipa/ticket/1889
>>>
>>> We are working on a tool in the PKI project that will perform these
>>> steps in an automated fashion.
>>>
>>>
>>> There are three files that need to be addressed.
>>>
>>> On the tomcat side, the files are in the Tomcat instance managed by
>>> IPA in /var/lib/pki-ca. The first is
>>>
>>> /var/lib/pki-ca/conf/server.xml
>>>
>>> It needs the addition:
>>>
>>> + <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
>>>
>>> You can place it around line 281, above the comment for the line
>>> <Engine name="Catalina" defaultHost="localhost">
>>>
>>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
>>>
>>> For each of the filter entries it needs the code addition below:
>>>
>>> <init-param>
>>>
>>> <param-name>proxy_port</param-name>
>>> <param-value>443</param-value>
>>>
>>> </init-param>
>>>
>>> + <init-param> + <param-name>proxy_port</param-name> +
>>> <param-value>443</param-value> + </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>active</param-name> <param-value>true</param-value>
>>>
>>> </init-param>
>>>
>>> </filter>
>>>
>>> The third change is creating a symlink to /etc/pki-ca/proxy.conf in
>>> the directory /etc/httpd/conf.d
>>>
>>>
>>>
>
> Sorry for the late reply.
>
> I have performed the modifications you've suggested to
> /var/lib/pki-ca/conf/server.xml, and
> /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.
>
> In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already
> http.port=8080 and https.port=8443.
>
> I could not find the file /etc/pki-ca/proxy.conf. I did find
> /usr/share/pki/ca/conf/proxy.conf, I copied this into
> /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with
> localhost:9447.
>
> Then I restarted ipa: $ ipactl restart
>
> I get a different error now, same error msg both in webui and cli:
> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An
> I/O error occurred during security authorization.
>
> What do you suggest doing next? :)
/etc/httpd/conf.d/nss.conf:
oot at vm-077 conf.d]# diff nss.conf.orig nss.conf
74c74
< NSSRenegotiation off
---
> NSSRenegotiation on
78c78
< NSSRequireSafeNegotiation off
---
> NSSRequireSafeNegotiation on
As I said, we are scripting this. I should have had you hold out for
the script.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110928/19ff7128/attachment.htm>
More information about the Freeipa-users
mailing list