[Pki-users] 回复：回复：回复： "SecurityDomain HTTPSAdmin URL not found " (solved)

Thu May 2 11:17:07 UTC 2013

Hi Alee

I take some time to debug the perl cgi.
I found the error caused by decode method

after I change it, it works.

/sscep enroll -f sscep.conf -E 3des -S sha1
....
CN's of request and certificate matched!
./sscep: writing cert
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIBCjANBgkqhkiG9w0BAQsFADBHMSQwIgYDVQQKExtsb2Nh
bGRvbWFpbiBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2Vy
dGlmaWNhdGUwHhcNMTMwNTAyMTEwOTAwWhcNMTUwNDIyMTEwOTAwWjAXMRUwEwYD
VQQDEwwxMC42NC43OS4yMzQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOAV
TYAh2vWcLWys4AMGEs9qbUeg/IkG9R944fHnaR9+uwqA+cZVNwmOl/Qwvk3GINiS
JQKlhR1wxf4AHeCACtfN7fk+ckjOngx+PN4GLGwZyTAPSWEFCK7vzGqrFWyqAibL
eeKzhhXiWkoHqQYkOoboAKY2OEvHuwKDod5xT3q/AgMBAAGjgZowgZcwHwYDVR0j
BBgwFoAUs0FtabRcZ2tq6VfsBCXKQKzoWsAwRQYIKwYBBQUHAQEEOTA3MDUGCCsG
AQUFBzABhilodHRwOi8vbG9jYWxob3N0LmxvY2FsZG9tYWluOjgwODAvY2Evb2Nz
cDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MA0GCSqGSIb3DQEBCwUAA4IBAQBzRKjf0ebDVjhIOuYFhbE/Htful4oLtCcQI2sZ
xjr9uWUITEVZNCWONUJ2pZKT+9KefE8zCjRd8tliyKjUZOO4VYpO+TDfe4KsQMSe
2Lrd35g35iUXOhqi2IVXLjQT6mdEWuYKwIGRl98pyoLMz9MZKbLdnrGkhYZHxA9n
EMds+7VmYdw3orZDaD4UmMqZL6FfNazjTKK1VlOWDL75QeVGGv9lNXbWqB+EUAZp
U0mc/dip2R3wZRwygHE7cKs/lvheI9GkoQYLSLWzKcS2M2JiSOiwrEfi+zMWF71O
DRbD6S2b8tl8k/f9WCwgLgKisw3TKRyJV+FLb5LdapE7lMQi
-----END CERTIFICATE-----
./sscep: certificate written as ./local.crt

sorry , I didn't change the default value according to (http://pki.fedoraproject.org/wiki/SCEP_in_Dogtag#SSCEP_Configuration)
Because first time I use firefox's keymanager.

Thanks very much!

sbaa

------------------ 原始邮件 ------------------
发件人: "骷髅猫"<sbaa at vip.qq.com>;
发送时间: 2013年5月2日(星期四) 下午5:24
收件人: "alee"<alee at redhat.com>; 
抄送: "Pki-users"<Pki-users at redhat.com>; 
主题: 回复： 回复： 回复： [Pki-users] "SecurityDomain HTTPSAdmin URL not found "

Hi Alee

some update

I try another scep client sscep (https://github.com/certnanny/sscep)

got the same result:

./sscep: server returned status code 500
./sscep: mime_err: HTTP/1.1 500 Internal Server Error
Date: Thu, 02 May 2013 09:13:20 GMT
Server: Apache
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<h1>Software error:</h1>
<pre>Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.
</pre>
<p>
For help, please send mail to the webmaster (<a href="mailto:you at example.com">you at example.com</a>), giving this error message 
and the time and date of the error.

</p>

./sscep: wrong (or missing) MIME content type
./sscep: error while sending message

I am not sure what version is stable and recommended.

Thanks
Sbaa

------------------ 原始邮件 ------------------
发件人: "骷髅猫"<sbaa at vip.qq.com>;
发送时间: 2013年4月30日(星期二) 下午2:33
收件人: "alee"<alee at redhat.com>; 
抄送: "Pki-users"<Pki-users at redhat.com>; 
主题: 回复： 回复： 回复： [Pki-users] "SecurityDomain HTTPSAdmin URL not found "

Hi Alee

I used firefox's keymanager plugin to do some simple test. Just connect to RA server and click next and next ,then encontered this error. 
But I did't go through any source about pkiclient.cgi ,so I 'm not sure where introduce the file pkiclient.xml.

another question,
If the client request can choose some file which used by server cgi internally, is there any security risk?

Best Regards
sbaa

------------------ 原始邮件 ------------------
发件人: "alee"<alee at redhat.com>;
发送时间: 2013年4月30日(星期二) 中午1:06
收件人: "骷髅猫"<sbaa at vip.qq.com>; 
抄送: "Pki-users"<Pki-users at redhat.com>; 
主题: Re: 回复： 回复： [Pki-users] "SecurityDomain HTTPSAdmin URL not found "

I don't see anything in the code about pkiclient.xml.

Can you detail exactly what you did to test SCEP?
Thanks, 
Ade

On Sun, 2013-04-28 at 15:13 +0800, 骷髅猫 wrote:
> Hi Alee
> 
> 
> Thank you, I finished the configuration for RA server by disable
> SElinux
> But when I test the SCEP feature, I got such error:
> In error log:
> [Sun Apr 28 03:05:56.891164 2013] [:error] [pid 1822:tid
> 140696560207616] [Sun Apr 28 03:05:56 2013] -e: Could not find
> pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/
> at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.\n
> 
> 
> on firefox:
> Software error:
> Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.
> 
> For help, please send mail to the webmaster (you at example.com), giving
> this error message and the time and date of the error.  
> 
> 
> 
> 
> Thanks
> sbaa
> ------------------ 原始邮件 ------------------
> 发件人: "alee"<alee at redhat.com>;
> 发送时间: 2013年4月28日(星期天) 下午2:00
> 收件人: "骷髅猫"<sbaa at vip.qq.com>; 
> 抄送: "Pki-users"<Pki-users at redhat.com>; 
> 主题: Re: 回复： [Pki-users] "SecurityDomain HTTPS Admin URL not found
> "
> 
> 
> I ran into the same problem:
> 
> The one you want is https://localhost.domain:8443
> 
> I resolved this by setting selinux in permissive mode.  I will file a
> bug against selinux policy on Monday.
> 
> Ade
> 
> On Sun, 2013-04-28 at 02:27 +0800, 骷髅猫 wrote:
> > Hi alee
> > 
> > 
> > I tried following urls
> > 
> > 
> > https://localhost.localdomain:8443
> > https://localhost.localdomain:8443/ca
> > http://localhost.localdomain:8080
> > http://localhost.localdomain:8080/ca
> > 
> > 
> > but all failed.
> > 
> > 
> > and i found some info in error log (/var/log/pki-ra/error_log )
> > GET /ca/admin/ca/getStatus HTTP/1.0
> > 
> > 
> > port: 8443
> > addr='localhost.localdomain'
> > family='2'
> > IP='127.0.0.1'
> > exit after PR_Connect with error -5985:
> > GET /ca/admin/ca/getStatus HTTP/1.0
> > 
> > 
> > port: 9445
> > addr='localhost.localdomain'
> > family='2'
> > IP='127.0.0.1'
> > exit after PR_Connect with error -5961:
> > 
> > 
> > ------------------ 原始邮件 ------------------
> > 发件人: "Ade Lee"<alee at redhat.com>;
> > 发送时间: 2013年4月28日(星期天) 凌晨1:04
> > 收件人: "骷髅猫"<sbaa at vip.qq.com>; 
> > 抄送: "Pki-users"<Pki-users at redhat.com>; 
> > 主题: Re: [Pki-users] "Security Domain HTTPS Admin URL not found "
> > 
> > 
> > What value are you putting in for your security domain?
> > 
> > Ade
> > On Sat, 2013-04-27 at 23:39 +0800, 骷髅猫 wrote:
> > > Hi All
> > > I'am a new user of dogtag.
> > > I try the latest build 10.0.2.
> > > I install ca server success,but when I configure a ra subsystem, 
> > > 
> > > 
> > > url :
> > > https://localhost.localdomain:12890/ra/admin/console/config/wizard
> > > 
> > > 
> > > it alwarys show error "Security Domain HTTPS Admin URL not found"
> > and
> > > " Create a New Security Domai" cannot be choose.
> > > any ideas?
> > > 
> > > 
> > > thanks
> > > 
> > > 
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> > 
> > 
> > .
> > 
> 
> 
> .
> 

.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130502/6f227cdb/attachment.htm>

[Pki-users] 回复： 回复： 回复： "SecurityDomain HTTPSAdmin URL not found " (solved)

[Pki-users] 回复：回复：回复： "SecurityDomain HTTPSAdmin URL not found " (solved)