[Freeipa-users] Certificate error when modifying/deleting a host

Sigbjorn Lie sigbjorn at nixtra.com
Tue Sep 27 20:22:10 UTC 2011 

On 09/27/2011 09:54 PM, Sigbjorn Lie wrote:
> On 09/27/2011 12:34 AM, Dmitri Pal wrote:
>> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote:
>>>
>>> Hi,
>>>
>>> I have a host that refuses to be modified or deleted. I get the same 
>>> error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + 
>>> all updates from the updates repository. I cannot find any error in 
>>> any log. I have tried to reboot my ipa servers. All services seem to 
>>> be running and have no issues.
>>>
>>> The error message I receive is:
>>>
>>>     * Certificate operation cannot be completed: Unable to
>>>       communicate with CMS (Not Found)
>>>
>>>
>>> I have looked in the Dogtag Certificate Manager, and I can see the 
>>> certificate. It's still valid, and holds the same serial number as 
>>> what is displayed using ipa host-show <hostname>.
>>>
>>> Any suggestions?
>>>
>>>
>>
>> Can you please send the sanitized apache logs?
>>
>
>
> These are the apache log lines that correspond to # ipa host-disable 
> <hostname, and # ipa cert-show <serialno>. I have no config files in 
> my /etc/httpd/conf.d/ directory that contains any reference to the /ca 
> directory. Also /var/www/html/ca does not exist.
>
> I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file 
> /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist 
> on any of my 3 IPA servers.
>
> Should that file contain an alias and proxy rules for /ca/ ?
>
>
> error_log:
> [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
> ping(): SUCCESS
> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 
> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
> [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does 
> not exist: /var/www/html/ca
> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
> host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
> [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
> ping(): SUCCESS
> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 
> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
> [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does 
> not exist: /var/www/html/ca
> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: 
> cert_show(u'268369923'): CertificateOperationError
>
> access_log:
> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] "POST 
> /ipa/xml HTTP/1.1" 200 259
> 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST 
> /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] "POST 
> /ipa/xml HTTP/1.1" 200 360
> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] "POST 
> /ipa/xml HTTP/1.1" 200 259
> 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST 
> /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] "POST 
> /ipa/xml HTTP/1.1" 200 360
>
>
>

I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied 
this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers 
seemed incorrect. They we're pointing at ajp://localhost:9447/, which is 
a port that's not reponding to anything. "netstat -nat" agrees...nothing 
there.

"/etc/init.d/pki-cad status" seem to indicate that the correct port is 
9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and 
restarted httpd. And attempted to disable the host:

# ipa host-disable bck01.ix.test.com
ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An 
I/O error occurred during security authorization.

Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca 
yields:

Secure Connection Failed
An error occurred during a connection to ipasrv01.ix.test.com:9443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)


Am I heading in the incorrect direction here? Or does the pki-cad 
service have some cert issues?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110927/379d7764/attachment.htm>

More information about the Freeipa-users mailing list