[Freeipa-users] Certificate error when modifying/deleting a host
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Sep 28 21:59:40 UTC 2011
On 09/28/2011 11:35 PM, Adam Young wrote:
> On 09/28/2011 05:03 PM, Sigbjorn Lie wrote:
>> On 09/28/2011 03:33 AM, Adam Young wrote:
>>> After talking with the PKI developer that is fixing this, I found
>>> out that one other file needs to be modified:
>>>
>>>
>>> /var/lib/pki-ca/conf/CS.cfg
>>>
>>> http.port=8080
>>> https.port=8443
>>>
>>>
>>>
>>>
>>>
>>> On 09/27/2011 07:55 PM, Adam Young wrote:
>>>>
>>>> Siggi,
>>>>
>>>> This is my comment in the ticket:
>>>> https://fedorahosted.org/freeipa/ticket/1889
>>>>
>>>> We are working on a tool in the PKI project that will perform these
>>>> steps in an automated fashion.
>>>>
>>>>
>>>> There are three files that need to be addressed.
>>>>
>>>> On the tomcat side, the files are in the Tomcat instance managed by
>>>> IPA in /var/lib/pki-ca. The first is
>>>>
>>>> /var/lib/pki-ca/conf/server.xml
>>>>
>>>> It needs the addition:
>>>>
>>>> + <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
>>>>
>>>> You can place it around line 281, above the comment for the line
>>>> <Engine name="Catalina" defaultHost="localhost">
>>>>
>>>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
>>>>
>>>> For each of the filter entries it needs the code addition below:
>>>>
>>>> <init-param>
>>>>
>>>> <param-name>proxy_port</param-name>
>>>> <param-value>443</param-value>
>>>>
>>>> </init-param>
>>>>
>>>> + <init-param> + <param-name>proxy_port</param-name> +
>>>> <param-value>443</param-value> + </init-param>
>>>>
>>>> <init-param>
>>>>
>>>> <param-name>active</param-name>
>>>> <param-value>true</param-value>
>>>>
>>>> </init-param>
>>>>
>>>> </filter>
>>>>
>>>> The third change is creating a symlink to /etc/pki-ca/proxy.conf in
>>>> the directory /etc/httpd/conf.d
>>>>
>>>>
>>>>
>>
>> Sorry for the late reply.
>>
>> I have performed the modifications you've suggested to
>> /var/lib/pki-ca/conf/server.xml, and
>> /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.
>>
>> In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already
>> http.port=8080 and https.port=8443.
>>
>> I could not find the file /etc/pki-ca/proxy.conf. I did find
>> /usr/share/pki/ca/conf/proxy.conf, I copied this into
>> /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with
>> localhost:9447.
>>
>> Then I restarted ipa: $ ipactl restart
>>
>> I get a different error now, same error msg both in webui and cli:
>> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An
>> I/O error occurred during security authorization.
>>
>> What do you suggest doing next? :)
>
> /etc/httpd/conf.d/nss.conf:
>
> oot at vm-077 conf.d]# diff nss.conf.orig nss.conf
> 74c74
> < NSSRenegotiation off
> ---
> > NSSRenegotiation on
> 78c78
> < NSSRequireSafeNegotiation off
> ---
> > NSSRequireSafeNegotiation on
>
>
> As I said, we are scripting this. I should have had you hold out for
> the script.
:)
I see Ade Lee has posted the script now. I'll have a go at the script
tomorrow.
Rgds,
Siggi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110928/39d27fb0/attachment.htm>
More information about the Freeipa-users
mailing list