[Freeipa-users] apache to dogtag (error 4301)
Arnold, Paul C CTR USARMY PEO STRI (US)
paul.c.arnold4.ctr at mail.mil
Thu Aug 27 18:32:41 UTC 2015
I changed NSSVerifyClient to optional (was undefined) and I can process new certs for the time-being.
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Arnold, Paul C CTR USARMY PEO STRI (US) [paul.c.arnold4.ctr at mail.mil]
Sent: Wednesday, August 26, 2015 07:26 AM
To: Fraser Tweedale
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] apache to dogtag (error 4301)
Sure. Dogtag is not running in FIPS mode -- it's all dist configs minus disabling SSLv3.
IPA UI and pki-proxy has dist configs, but mod_nss and the default 443 vhost does not. The confs for httpd.conf and nss.conf are listed after s_client output.
Running s_client on port 9447 just hangs, but I am honestly not sure how an AJP connector redirect should behave in a direct connection like that.
Here's s_client output for 443 and 9444:
##
## apache https ssl init
##
[root at server ~]# openssl s_client -state -verify 10 -msg -connect localhost:443
verify depth is 10
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.2 Handshake [length 00f4], ClientHello
01 00 00 f0 <snip> 0f 00 01 01
SSL_connect:SSLv2/v3 write client hello A
<<< TLS 1.2 Handshake [length 0057], ServerHello
02 00 00 53 <snip> 01 00 01 00
SSL_connect:SSLv3 read server hello A
<<< TLS 1.2 Handshake [length 0735], Certificate
0b 00 07 31 <snip> 40 15 d7 9c
depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority
verify return:1
depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
0c 00 01 49 <snip> 68 9e 48 fc
SSL_connect:SSLv3 read server key exchange A
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
0e 00 00 00
SSL_connect:SSLv3 read server done A
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
10 00 00 42 <snip> 59 56 88 4a
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c <snip> 20 07 08 db
SSL_connect:SSLv3 write finished A
---
70 30 0d 06 <snip> 40 15 d7 9c
depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority
verify return:1
depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
0c 00 01 49 <snip> 8d 64 cf b1
SSL_connect:SSLv3 flush data
<<< TLS 1.2 ChangeCipherSpec [length 0001]
01
<<< TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c <snip> 23 1c 06 4b
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority
i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlTCC<snip>gbqsFldU
-----END CERTIFICATE-----
subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2349 bytes and written 399 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 1E191B2FEAC07386328DC9725D9B8589FBCAD4B080CF18A3476C296A76837235
Session-ID-ctx:
Master-Key: 3BF979C72DC402F635E405ADC79A36BEAE2ACC7E4560A4E7CF45B60002DECC65DC46182C81BE4A16381F456573F5E7D5
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1440585959
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
##
##
## tomcat post-proxy ssl init
##
[root at server ~]# openssl s_client -state -verify 10 -msg -connect localhost:9444
verify depth is 10
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.2 Handshake [length 00f4], ClientHello
01 00 00 f0 <snip> 0f 00 01 01
SSL_connect:SSLv2/v3 write client hello A
<<< TLS 1.0 Handshake [length 0051], ServerHello
02 00 00 4d <snip> 01 00 01 00
SSL_connect:SSLv3 read server hello A
<<< TLS 1.0 Handshake [length 070c], Certificate
0b 00 07 08 <snip> 40 15 d7 9c
depth=1 O = INTERNALFQDN.LAB, CN = Certificate Authority
verify return:1
depth=0 O = INTERNALFQDN.LAB, CN = server.internalfqdn.lab
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
0e 00 00 00
SSL_connect:SSLv3 read server done A
>>> TLS 1.0 Handshake [length 0106], ClientKeyExchange
10 00 01 02 <snip> c0 36 01 46
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c <snip> bd da 9f be
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.0 ChangeCipherSpec [length 0001]
01
<<< TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c <snip> e0 1a ed 80
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
1 s:/O=INTERNALFQDN.LAB/CN=Certificate Authority
i:/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDbDCC<snip>vJ5zjQ==
-----END CERTIFICATE-----
subject=/O=INTERNALFQDN.LAB/CN=server.internalfqdn.lab
issuer=/O=INTERNALFQDN.LAB/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1941 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 1F5249D065AE60C8527ED34EDF40BA8B2DF929A1A84FDA3EC3DA5F23A5DE9BBD
Session-ID-ctx:
Master-Key: 1ABB212506B7D5D156E782265D1ADC35D22102CCD0DFB6AFD4AF3B1B65473EFF535A9D4F7BE0F6AC88F5439ADDAE5F94
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1440586026
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
##
##
## mod_nss conf for reference
##
[root at apollo ~]# grep -Pv '#\s' /etc/httpd/conf.d/nss.conf
LoadModule nss_module modules/libmodnss.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
NSSRenegotiation off
#NSSRenegotiation on
NSSRequireSafeNegotiation off
#NSSRequireSafeNegotiation on
<VirtualHost _default_:443>
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel debug
NSSEngine on
#NSSFIPS on
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
#NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha
NSSCipherSuite +ecdhe_rsa_aes_256_sha,+rsa_aes_256_sha
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
Include conf.d/ipa-rewrite.conf
</VirtualHost>
##
##
## httpd.conf for reference
##
Listen 80
ServerTokens Prod
ServerSignature Off
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 60
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 10
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>
<IfModule worker.c>
StartServers 5
MaxClients 256
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
Include conf.d/*.conf
User apache
Group apache
ServerAdmin root at server.internalfqdn.lab
UseCanonicalName Off
DocumentRoot "/var/www/html"
<Directory />
Options None
AllowOverride None
</Directory>
<Directory "/var/www/html">
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>
Options -Indexes -MultiViews SymLinksifOwnerMatch IncludesNoExec
AllowOverride None
Order allow,deny
Allow from all
</Directory>
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
TypesConfig /etc/mime.types
DefaultType text/plain
EnableMMAP off
EnableSendfile off
LogLevel debug
ErrorLog logs/error_log
LogFormat "%h %a %u %l %t %A %H %m %U \"%r\" %s %>s \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log combined
TraceEnable Off
LimitRequestBody 2147483647
LimitRequestFields 200
LimitRequestFieldSize 8190
LimitRequestLine 8190
DefaultLanguage en
AddLanguage en .en
LanguagePriority en
ForceLanguagePriority Prefer Fallback
AddDefaultCharset UTF-8
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
AddHandler type-map var
Alias /error/ "/var/www/error/"
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
<Directory "/var/www/error">
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>
AllowOverride None
Options -Indexes IncludesNoExec -MultiViews
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
</Directory>
</IfModule>
</IfModule>
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
##
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.
________________________________________
From: Fraser Tweedale [ftweedal at redhat.com]
Sent: Monday, August 24, 2015 10:20 AM
To: Arnold, Paul C CTR USARMY PEO STRI (US)
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] apache to dogtag (error 4301)
On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
> I have been beating my head against the keyboard for the past 2 weeks trying
> to figure this one out. I'm hoping I am missing something simple, as my next
> course of action is to completely re-install IPA.
>
>
> This is the primary error I am receiving:
>
> ipa: DEBUG: Caught fault 4301 from server
> https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
> cannot be completed: EXCEPTION (You did not provide a valid certificate for
> this operation)
>
Dogtag raises this exception when it expected but did not receive a
client certificate. The `ipaCert' certificate from /etc/httpd/alias
is the certificate used by FreeIPA to talk to Dogtag.
If `ipaCert' is not expired, there must be some other reason the
client is not sending the cert. Is Dogtag in FIPS mode? Can you
export the certificate and try and connect to the server using,
e.g., `openssl s_client -msg' to debug the handshake?
Thanks,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list