[Freeipa-users] Certificate error when modifying/deleting a host

Adam Young ayoung at redhat.com
Wed Sep 28 21:35:29 UTC 2011 

On 09/28/2011 05:03 PM, Sigbjorn Lie wrote:
> On 09/28/2011 03:33 AM, Adam Young wrote:
>> After talking with the PKI developer that is fixing this, I found out 
>> that one other file needs to be modified:
>>
>>
>> /var/lib/pki-ca/conf/CS.cfg
>>
>> http.port=8080
>> https.port=8443
>>
>>
>>
>>
>>
>> On 09/27/2011 07:55 PM, Adam Young wrote:
>>>
>>> Siggi,
>>>
>>> This is my comment in the ticket: 
>>> https://fedorahosted.org/freeipa/ticket/1889
>>>
>>> We are working on a tool in the PKI project that will perform these 
>>> steps in an automated fashion.
>>>
>>>
>>> There are three files that need to be addressed.
>>>
>>> On the tomcat side, the files are in the Tomcat instance managed by 
>>> IPA in /var/lib/pki-ca. The first is
>>>
>>> /var/lib/pki-ca/conf/server.xml
>>>
>>> It needs the addition:
>>>
>>> + <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
>>>
>>> You can place it around line 281, above the comment for the line 
>>> <Engine name="Catalina" defaultHost="localhost">
>>>
>>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
>>>
>>> For each of the filter entries it needs the code addition below:
>>>
>>>     <init-param>
>>>
>>>         <param-name>proxy_port</param-name>
>>>         <param-value>443</param-value>
>>>
>>>     </init-param>
>>>
>>> + <init-param> + <param-name>proxy_port</param-name> + 
>>> <param-value>443</param-value> + </init-param>
>>>
>>>     <init-param>
>>>
>>>         <param-name>active</param-name> <param-value>true</param-value>
>>>
>>>     </init-param>
>>>
>>>     </filter>
>>>
>>> The third change is creating a symlink to /etc/pki-ca/proxy.conf in 
>>> the directory /etc/httpd/conf.d
>>>
>>>
>>>
>
> Sorry for the late reply.
>
> I have performed the modifications you've suggested to 
> /var/lib/pki-ca/conf/server.xml, and  
> /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.
>
> In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already 
> http.port=8080 and https.port=8443.
>
> I could not find the file /etc/pki-ca/proxy.conf. I did find 
> /usr/share/pki/ca/conf/proxy.conf, I copied this into 
> /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with 
> localhost:9447.
>
> Then I restarted ipa: $ ipactl restart
>
> I get a different error now, same error msg both in webui and cli:
> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An 
> I/O error occurred during security authorization.
>
> What do you suggest doing next? :)

/etc/httpd/conf.d/nss.conf:

oot at vm-077 conf.d]# diff nss.conf.orig nss.conf
74c74
< NSSRenegotiation off
---
 > NSSRenegotiation on
78c78
< NSSRequireSafeNegotiation off
---
 > NSSRequireSafeNegotiation on


As I said, we are scripting this.  I should have had you hold out for 
the script.

>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110928/19ff7128/attachment.htm>

More information about the Freeipa-users mailing list