[Freeipa-users] Certificate error when modifying/deleting a host

Adam Young ayoung at redhat.com
Thu Sep 29 00:54:12 UTC 2011 

On 09/28/2011 05:59 PM, Sigbjorn Lie wrote:
> On 09/28/2011 11:35 PM, Adam Young wrote:
>> On 09/28/2011 05:03 PM, Sigbjorn Lie wrote:
>>> On 09/28/2011 03:33 AM, Adam Young wrote:
>>>> After talking with the PKI developer that is fixing this, I found 
>>>> out that one other file needs to be modified:
>>>>
>>>>
>>>> /var/lib/pki-ca/conf/CS.cfg
>>>>
>>>> http.port=8080
>>>> https.port=8443
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 09/27/2011 07:55 PM, Adam Young wrote:
>>>>>
>>>>> Siggi,
>>>>>
>>>>> This is my comment in the ticket: 
>>>>> https://fedorahosted.org/freeipa/ticket/1889
>>>>>
>>>>> We are working on a tool in the PKI project that will perform 
>>>>> these steps in an automated fashion.
>>>>>
>>>>>
>>>>> There are three files that need to be addressed.
>>>>>
>>>>> On the tomcat side, the files are in the Tomcat instance managed 
>>>>> by IPA in /var/lib/pki-ca. The first is
>>>>>
>>>>> /var/lib/pki-ca/conf/server.xml
>>>>>
>>>>> It needs the addition:
>>>>>
>>>>> + <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />
>>>>>
>>>>> You can place it around line 281, above the comment for the line 
>>>>> <Engine name="Catalina" defaultHost="localhost">
>>>>>
>>>>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
>>>>>
>>>>> For each of the filter entries it needs the code addition below:
>>>>>
>>>>>     <init-param>
>>>>>
>>>>>         <param-name>proxy_port</param-name>
>>>>>         <param-value>443</param-value>
>>>>>
>>>>>     </init-param>
>>>>>
>>>>> + <init-param> + <param-name>proxy_port</param-name> + 
>>>>> <param-value>443</param-value> + </init-param>
>>>>>
>>>>>     <init-param>
>>>>>
>>>>>         <param-name>active</param-name>
>>>>>         <param-value>true</param-value>
>>>>>
>>>>>     </init-param>
>>>>>
>>>>>     </filter>
>>>>>
>>>>> The third change is creating a symlink to /etc/pki-ca/proxy.conf 
>>>>> in the directory /etc/httpd/conf.d
>>>>>
>>>>>
>>>>>
>>>
>>> Sorry for the late reply.
>>>
>>> I have performed the modifications you've suggested to 
>>> /var/lib/pki-ca/conf/server.xml, and  
>>> /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.
>>>
>>> In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already 
>>> http.port=8080 and https.port=8443.
>>>
>>> I could not find the file /etc/pki-ca/proxy.conf. I did find 
>>> /usr/share/pki/ca/conf/proxy.conf, I copied this into 
>>> /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] 
>>> with localhost:9447.
>>>
>>> Then I restarted ipa: $ ipactl restart
>>>
>>> I get a different error now, same error msg both in webui and cli:
>>> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) 
>>> An I/O error occurred during security authorization.
>>>
>>> What do you suggest doing next? :)
>>
>> /etc/httpd/conf.d/nss.conf:
>>
>> oot at vm-077 conf.d]# diff nss.conf.orig nss.conf
>> 74c74
>> < NSSRenegotiation off
>> ---
>> > NSSRenegotiation on
>> 78c78
>> < NSSRequireSafeNegotiation off
>> ---
>> > NSSRequireSafeNegotiation on
>>
>>
>> As I said, we are scripting this.  I should have had you hold out for 
>> the script.
>
> :)
>
> I see Ade Lee has posted the script now. I'll have a go at the script 
> tomorrow.
>
> Rgds,
> Siggi
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Well, that script assumes the machine is in a certain state.  I am not 
sure if you machine now qualifies.  You shold only need the nss.conf  
change, as that seems to match the error you are seeing.

Before you make any changes, try pointing  a browser at

https://hostname/ca/ee/ca/getCertChain

And you should get a valid response:  XML with a tag <ChainBase64>

This shows that Dogtag is being proxied correctly.  The error you are 
seeing is due to the need to "renegotiate" the SSL handshake for the  
authed sections of the PKI-CA.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110928/ca730264/attachment.htm>

More information about the Freeipa-users mailing list