<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/27/2011 04:22 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E823072.1010808@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E8229F9.3050400@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/27/2011 12:34 AM, Dmitri Pal wrote:
<blockquote cite="mid:4E80FDE9.2010504@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4E7FA1E6.6050409@nixtra.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<div style="width: auto; min-height: 54.4px; height: auto;"
class="ui-dialog-content ui-widget-content"
id="error_dialog">
<p>Hi,<br>
</p>
<p>I have a host that refuses to be modified or deleted. I
get the same error from the webui and the cli. I am
using F15, FreeIPA 2.1.1 + all updates from the updates
repository. I cannot find any error in any log. I have
tried to reboot my ipa servers. All services seem to be
running and have no issues.<br>
</p>
The error message I receive is:<br>
<ul style="" class="error-container">
<li>Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)</li>
</ul>
<br>
I have looked in the Dogtag Certificate Manager, and I can
see the certificate. It's still valid, and holds the same
serial number as what is displayed using ipa host-show
<hostname>. <br>
<br>
Any suggestions?<br>
<br>
<br>
</div>
</blockquote>
<br>
Can you please send the sanitized apache logs?<br>
<br>
</blockquote>
<br>
<br>
These are the apache log lines that correspond to # ipa
host-disable <hostname, and # ipa cert-show <serialno>.
I have no config files in my /etc/httpd/conf.d/ directory that
contains any reference to the /ca directory. Also
/var/www/html/ca does not exist.<br>
<br>
I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a
file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file
does not exist on any of my 3 IPA servers.<br>
<br>
Should that file contain an alias and proxy rules for /ca/ ?<br>
<br>
<br>
error_log:<br>
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a>
ping(): SUCCESS<br>
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget '<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial">https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial</a>'<br>
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File
does not exist: /var/www/html/ca<br>
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a>
host_disable(u'bck01.ix.TEST.com'): CertificateOperationError<br>
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a>
ping(): SUCCESS<br>
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget '<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial">https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial</a>'<br>
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File
does not exist: /var/www/html/ca<br>
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM:">admin@IX.TEST.COM:</a>
cert_show(u'268369923'): CertificateOperationError<br>
<br>
access_log:<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259<br>
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 404 314<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259<br>
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 404 314<br>
192.168.210.20 - <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@IX.TEST.COM">admin@IX.TEST.COM</a>
[27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360<br>
<br>
<br>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
</pre>
</blockquote>
<br>
I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I
copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The
port numbers seemed incorrect. They we're pointing at
ajp://localhost:9447/, which is a port that's not reponding to
anything. "netstat -nat" agrees...nothing there.<br>
<br>
"/etc/init.d/pki-cad status" seem to indicate that the correct
port is 9443? I changed to port number 9443 in the
ipa-pki-proxy.conf file, and restarted httpd. And attempted to
disable the host:<br>
<br>
# ipa host-disable bck01.ix.test.com<br>
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO)
An I/O error occurred during security authorization.<br>
<br>
Using Firefox to access <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://ipasrv01.ix.test.com:9443/ca/agent/ca">https://ipasrv01.ix.test.com:9443/ca/agent/ca</a>
yields:<br>
<br>
Secure Connection Failed<br>
An error occurred during a connection to
ipasrv01.ix.test.com:9443.<br>
SSL peer cannot verify your certificate.<br>
(Error code: ssl_error_bad_cert_alert)<br>
<br>
<br>
Am I heading in the incorrect direction here? Or does the pki-cad
service have some cert issues?<br>
</blockquote>
<br>
9447 was likely the right value.<br>
<br>
I think the problem is with the Proxy configuration. We are working
on a script to upgrade a non-proxied PKI (Dogtag) to a proxied
version, but the ports set in the config file need to match the
ports that the pki-ca web app is using. <br>
<br>
I'm assuming from what you said above that you can talk to Dogtag
directly of port 9443, but that the proxy is not set correctly for
the HTTPD to AJP communication. <br>
<br>
Have your server.xml and web.xml files in the PKI configuration
been modified to listen to AJP? It should be something like:<br>
<br>
<br>
<Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3"
redirectPort="[PKI_AJP_REDIRECT_PORT]" /><br>
<br>
In the server.xml file. THE AJP port has to match what the file
in /etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the
HTTPS port in your case, not the AJP port. AJP should be 9447. <br>
<br>
<br>
<br>
<blockquote cite="mid:4E823072.1010808@nixtra.com" type="cite"> <br>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
We (Ade Lee) is working in a script to upgrade an existing Dogtag
instance to use <br>
</body>
</html>