[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate

Thu Oct 16 15:48:56 UTC 2014

The FreeIPA is 3.0.0 server is running on CentOS 6.5.

The CA subsystem certificates have all been renewed and will expire not
until 2016. In the

I think the problems come from "modifications" a colleague did to
/etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and
/var/lib/pki-ca/conf/server.xml (without dokumentation, but they have
different timestamps) when he wanted to enforce/enable higher level
encrytion.

I was able to reproduce some of his changes like StrictCypher and
sslOptions he did, but I am not sure with  the configuraion of the ports
of the connectors in /var/lib/pki-ca/conf/server.xml

  <Connector name="Agent" port="9443...

  <!-- Port Separation:  Admin Secure Port Connector -->
  <Connector name="Admin" port="9445" ...

  <!-- Port Separation:  EE Secure Port Connector -->
  <Connector name="EE" port="9444" ...

<Connector  name="EEClientAuth" port="9446" ...

  <!-- Define an AJP 1.3 Connector on port 9447 -->
  <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

and the /etc/httpd/conf.d/ipa-pki-proxy.conf

# VERSION 2 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
#    ProxyPassMatch ajp://localhost:9443
#    ProxyPassReverse ajp://localhost:9443
    ProxyPassMatch ajp://localhost:9447
    ProxyPassReverse ajp://localhost:9447
</LocationMatch>

# matches for admin port and installer
<LocationMatch
"^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
#    ProxyPassMatch ajp://localhost:9443
#    ProxyPassReverse ajp://localhost:9443
    ProxyPassMatch ajp://localhost:9447
    ProxyPassReverse ajp://localhost:9447
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch
"^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
#    ProxyPassMatch ajp://localhost:9443
#    ProxyPassReverse ajp://localhost:9443
    ProxyPassMatch ajp://localhost:9447
    ProxyPassReverse ajp://localhost:9447
</LocationMatch>

# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]

Is there somewhere a example configuration? When I deployed the system it
was a rather default installation.

> Christof Schulze wrote:
>> Hello all,
>>
>> i am running a FreeIPA server on CentOS for 2 years now with mostly
>> Ubuntu 12.04 and some Fedora 20 clients.
>>
>> Since one week (or more) it is not possible any more to install new
>> clients (whether ubuntu nor fedora). The Host gets created on the
>> IPA-server but it can not create/exchange a Host-Certificate.
>>
>> The only thing happened (except regular updates) was a complete
>> certificate renewal with no obvious problems some weeks ago.
>>
>> Web-interface and certmonger show the same error.
>>
>> ipa-getcert list on the new Hosts:
>> 	status: CA_UNREACHABLE
>> 	ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.  Certificate operation cannot be completed: FAILURE (Invalid
>> Request)).
>> 	stuck: yes
>
> Given the timeline I'd guess that your CA subsystem certificates have
> expired.
>
> On the IPA master run: getcert list (not ipa-getcert)
>
> This will show the current status of things.
>
> What version of IPA is this?
>
> rob
>