[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate

Christof Schulze christof.schulze at ww.uni-erlangen.de
Thu Oct 16 09:08:24 UTC 2014


Hello all,

i am running a FreeIPA server on CentOS for 2 years now with mostly
Ubuntu 12.04 and some Fedora 20 clients.

Since one week (or more) it is not possible any more to install new
clients (whether ubuntu nor fedora). The Host gets created on the
IPA-server but it can not create/exchange a Host-Certificate.

The only thing happened (except regular updates) was a complete
certificate renewal with no obvious problems some weeks ago.

Web-interface and certmonger show the same error.

ipa-getcert list on the new Hosts:
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: FAILURE (Invalid
Request)).
	stuck: yes


Debug Log from server as Attachment


C. Schuze
-------------- next part --------------

[16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz mgr: {2}.
[16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz mgr: {2}.
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet:service() uri = //ca/eeca/ca/profileSubmitSSLClient
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='cert_request_type' value='pkcs10'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm

*************************

 KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
 /Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
 -----END NEW CERTIFICATE REQUEST-----'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='xml' value='true'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='profileId' value='caIPAserviceCert'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet: caProfileSubmitSSLClient start to service.
[16/Oct/2014:10:15:02][TP-Processor3]: xmlOutput true
[16/Oct/2014:10:15:02][TP-Processor3]: Start of ProfileSubmitServlet Input Parameters
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm

*************************

 KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
 /Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
 -----END NEW CERTIFICATE REQUEST-----'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter xml='true'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert'
[16/Oct/2014:10:15:02][TP-Processor3]: End of ProfileSubmitServlet Input Parameters
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: start serving
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: SubId=profile
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: isRenewal false
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: profileId caIPAserviceCert
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: authenticator raCertAuth found
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmistServlet: set Inputs into profile Context
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: set sslClientCertProvider
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthentication: start
[16/Oct/2014:10:15:02][TP-Processor3]: authenticator instance name is raCertAuth
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got provider
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: retrieving client certificate
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got certificates
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: check if ipara is  in group Registration Manager Agents
[16/Oct/2014:10:15:02][TP-Processor3]: UGSubsystem.isMemberOf() using new lookup code
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: authorization search base: cn=Registration Manager Agents,ou=groups,o=ipaca
[16/Oct/2014:10:15:02][TP-Processor3]: authorization search filter: (uniquemember=uid=ipara,ou=people,o=ipaca)
[16/Oct/2014:10:15:02][TP-Processor3]: authorization result: true
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthentication: authenticated uid=ipara,ou=people,o=ipaca
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet authToken not null
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: authz using acl: 
[16/Oct/2014:10:15:02][TP-Processor3]: Start parsePKCS10(): -----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm

*************************

 KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
 /Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
 -----END NEW CERTIFICATE REQUEST-----
[16/Oct/2014:10:15:02][TP-Processor3]: EnrollProfile: parsePKCS10: signature verification enabled
[16/Oct/2014:10:15:02][TP-Processor3]: EnrollProfile: parsePKCS10 org.mozilla.jss.NoSuchTokenException
[16/Oct/2014:10:15:02][TP-Processor3]: EnrollProfile: parsePKCS10 restoring thread token
Invalid Request
	at com.netscape.cms.profile.common.EnrollProfile.parsePKCS10(EnrollProfile.java:953)
	at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:102)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:1001)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.netscape.cms.servlet.filter.EEClientAuthRequestFilter.doFilter(EEClientAuthRequestFilter.java:123)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
	at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
	at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
	at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
	at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
	at java.lang.Thread.run(Thread.java:701)
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: createRequests Invalid Request
[16/Oct/2014:10:15:03][TP-Processor3]: CMSServlet: curDate=Thu Oct 16 10:15:03 CEST 2014 id=caProfileSubmitSSLClient time=124
[16/Oct/2014:10:16:43][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.
[16/Oct/2014:10:16:43][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.
[16/Oct/2014:10:16:43][Timer-0]: SecurityDomainSessionTable: getSessionIds():  no sessions have been created


More information about the Freeipa-users mailing list