[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate
Rob Crittenden
rcritten at redhat.com
Fri Oct 17 14:38:54 UTC 2014
Christof.Schulze at ww.uni-erlangen.de wrote:
> The FreeIPA is 3.0.0 server is running on CentOS 6.5.
>
> The CA subsystem certificates have all been renewed and will expire not
> until 2016. In the
>
> I think the problems come from "modifications" a colleague did to
> /etc/httpd/ipa-pki-proxy.conf , /etc/httpd/nss.conf and
> /var/lib/pki-ca/conf/server.xml (without dokumentation, but they have
> different timestamps) when he wanted to enforce/enable higher level
> encrytion.
>
> I was able to reproduce some of his changes like StrictCypher and
> sslOptions he did, but I am not sure with the configuraion of the ports
> of the connectors in /var/lib/pki-ca/conf/server.xml
>
> <Connector name="Agent" port="9443...
>
> <!-- Port Separation: Admin Secure Port Connector -->
> <Connector name="Admin" port="9445" ...
>
>
> <!-- Port Separation: EE Secure Port Connector -->
> <Connector name="EE" port="9444" ...
>
> <!-- Port Separation: EE Secure Client Auth Port Connector -->
> <Connector name="EEClientAuth" port="9446" ...
>
>
> <!-- Define an AJP 1.3 Connector on port 9447 -->
> <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
>
>
>
> and the /etc/httpd/conf.d/ipa-pki-proxy.conf
>
>
>
>
> # VERSION 2 - DO NOT REMOVE THIS LINE
>
> ProxyRequests Off
>
> # matches for ee port
> <LocationMatch
> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient none
> # ProxyPassMatch ajp://localhost:9443
> # ProxyPassReverse ajp://localhost:9443
> ProxyPassMatch ajp://localhost:9447
> ProxyPassReverse ajp://localhost:9447
> </LocationMatch>
>
> # matches for admin port and installer
> <LocationMatch
> "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient none
> # ProxyPassMatch ajp://localhost:9443
> # ProxyPassReverse ajp://localhost:9443
> ProxyPassMatch ajp://localhost:9447
> ProxyPassReverse ajp://localhost:9447
> </LocationMatch>
>
> # matches for agent port and eeca port
> <LocationMatch
> "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient require
> # ProxyPassMatch ajp://localhost:9443
> # ProxyPassReverse ajp://localhost:9443
> ProxyPassMatch ajp://localhost:9447
> ProxyPassReverse ajp://localhost:9447
> </LocationMatch>
>
> # Only enable this on servers that are not generating a CRL
> #RewriteRule ^/ipa/crl/MasterCRL.bin
> https://ww8-idm.ww.uni-erlangen.de/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> [L,R=301,NC]
>
>
> Is there somewhere a example configuration? When I deployed the system it
> was a rather default installation.
I've attached the config files from one of my working 3.0.0 masters.
rob
>
>
>
>> Christof Schulze wrote:
>>> Hello all,
>>>
>>> i am running a FreeIPA server on CentOS for 2 years now with mostly
>>> Ubuntu 12.04 and some Fedora 20 clients.
>>>
>>> Since one week (or more) it is not possible any more to install new
>>> clients (whether ubuntu nor fedora). The Host gets created on the
>>> IPA-server but it can not create/exchange a Host-Certificate.
>>>
>>> The only thing happened (except regular updates) was a complete
>>> certificate renewal with no obvious problems some weeks ago.
>>>
>>> Web-interface and certmonger show the same error.
>>>
>>> ipa-getcert list on the new Hosts:
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>> server. Certificate operation cannot be completed: FAILURE (Invalid
>>> Request)).
>>> stuck: yes
>>
>> Given the timeline I'd guess that your CA subsystem certificates have
>> expired.
>>
>> On the IPA master run: getcert list (not ipa-getcert)
>>
>> This will show the current status of things.
>>
>> What version of IPA is this?
>>
>> rob
>>
>
>
-------------- next part --------------
# VERSION 2 - DO NOT REMOVE THIS LINE
ProxyRequests Off
# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:9447
ProxyPassReverse ajp://localhost:9447
</LocationMatch>
# matches for admin port and installer
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:9447
ProxyPassReverse ajp://localhost:9447
</LocationMatch>
# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch ajp://localhost:9447
ProxyPassReverse ajp://localhost:9447
</LocationMatch>
# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin https://ipa.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
-------------- next part --------------
#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin. It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule nss_module modules/libmodnss.so
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
NSSPassPhraseHelper /usr/sbin/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
#
# This does not support seeding the RNG with each connection.
NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random 512
#NSSRandomSeed startup file:/dev/urandom 512
#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation on
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation on
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
#ServerName www.example.com:443
#ServerAdmin you at example.com
# mod_nss can log to separate log files, you can choose to do that if you'd like
# LogLevel is not inherited from httpd.conf.
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
#
# Comment out the NSSCipherSuite line above and use the one below if you have
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol SSLv3,TLSv1.0,TLSv1.1
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase /etc/httpd/alias
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#<Location />
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars +ExportCertData
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars +ExportCertData
</Directory>
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Include conf.d/ipa-rewrite.conf
</VirtualHost>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.xml
Type: text/xml
Size: 16860 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141017/5ab11a2f/attachment.xml>
More information about the Freeipa-users
mailing list