[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
Christof.Schulze at ww.uni-erlangen.de
Christof.Schulze at ww.uni-erlangen.de
Thu Oct 16 15:48:56 UTC 2014
The FreeIPA is 3.0.0 server is running on CentOS 6.5.
The CA subsystem certificates have all been renewed and will expire not
until 2016. In the
I think the problems come from "modifications" a colleague did to
/etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and
/var/lib/pki-ca/conf/server.xml (without dokumentation, but they have
different timestamps) when he wanted to enforce/enable higher level
encrytion.
I was able to reproduce some of his changes like StrictCypher and
sslOptions he did, but I am not sure with the configuraion of the ports
of the connectors in /var/lib/pki-ca/conf/server.xml
<Connector name="Agent" port="9443...
<!-- Port Separation: Admin Secure Port Connector -->
<Connector name="Admin" port="9445" ...
<!-- Port Separation: EE Secure Port Connector -->
<Connector name="EE" port="9444" ...
<!-- Port Separation: EE Secure Client Auth Port Connector -->
<Connector name="EEClientAuth" port="9446" ...
<!-- Define an AJP 1.3 Connector on port 9447 -->
<Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
and the /etc/httpd/conf.d/ipa-pki-proxy.conf
# VERSION 2 - DO NOT REMOVE THIS LINE
ProxyRequests Off
# matches for ee port
<LocationMatch
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
# ProxyPassMatch ajp://localhost:9443
# ProxyPassReverse ajp://localhost:9443
ProxyPassMatch ajp://localhost:9447
ProxyPassReverse ajp://localhost:9447
</LocationMatch>
# matches for admin port and installer
<LocationMatch
"^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
# ProxyPassMatch ajp://localhost:9443
# ProxyPassReverse ajp://localhost:9443
ProxyPassMatch ajp://localhost:9447
ProxyPassReverse ajp://localhost:9447
</LocationMatch>
# matches for agent port and eeca port
<LocationMatch
"^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
# ProxyPassMatch ajp://localhost:9443
# ProxyPassReverse ajp://localhost:9443
ProxyPassMatch ajp://localhost:9447
ProxyPassReverse ajp://localhost:9447
</LocationMatch>
# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]
Is there somewhere a example configuration? When I deployed the system it
was a rather default installation.
> Christof Schulze wrote:
>> Hello all,
>>
>> i am running a FreeIPA server on CentOS for 2 years now with mostly
>> Ubuntu 12.04 and some Fedora 20 clients.
>>
>> Since one week (or more) it is not possible any more to install new
>> clients (whether ubuntu nor fedora). The Host gets created on the
>> IPA-server but it can not create/exchange a Host-Certificate.
>>
>> The only thing happened (except regular updates) was a complete
>> certificate renewal with no obvious problems some weeks ago.
>>
>> Web-interface and certmonger show the same error.
>>
>> ipa-getcert list on the new Hosts:
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server. Certificate operation cannot be completed: FAILURE (Invalid
>> Request)).
>> stuck: yes
>
> Given the timeline I'd guess that your CA subsystem certificates have
> expired.
>
> On the IPA master run: getcert list (not ipa-getcert)
>
> This will show the current status of things.
>
> What version of IPA is this?
>
> rob
>
More information about the Freeipa-users
mailing list