Bug 741458

Summary: Cert error when accessing host in webui or cli
Product: [Retired] freeIPA Reporter: Sigbjorn Lie <sigbjorn>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.1CC: benl, dpal, jgalipea, mkosek, nsoman
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.1.4-5.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 743955 (view as bug list) Environment:
Last Closed: 2012-03-28 09:28:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743955    

Description Sigbjorn Lie 2011-09-26 21:21:01 UTC 
Description of problem:
I have several hosts that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues.
The error message I receive is:

    * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)


I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show <hostname>. 

I noticed that the hosts with an issue, is Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui or cli yields the same error message.

However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15.

Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui.

Version-Release number of selected component (if applicable):
2.1.1

How reproducible:
Every time.

Steps to Reproduce:
webui) Go to the host tab, click on a Fedora 15 joined host
cli) Run ipa host-disable <hostname>
  
Actual results:
Error: "Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)"

Expected results:
Modified/deleted host object

Additional info:
Comment 1 Rob Crittenden 2011-09-27 02:46:57 UTC 
The host-disable is trying to revoke the host certificate.

From the command line I would assume this also fails:

$ ipa cert-show <serial #>

This does a client authenticated HTTPS request to /ca/agent/ca/displayBySerial

You may want to check /var/log/pki-ca/debug to see if there are any errors logged there when this fails.

Does the nickname ipaCert exist when you do:

# certutil -L -d /etc/httpd/alias
Comment 2 Jenny Severance 2011-09-27 12:45:25 UTC 
Was this a fresh install of 2.1.1 or an upgrade from earlier version?
Comment 3 Sigbjorn Lie 2011-09-27 19:42:35 UTC 
# ipa cert-show 268369923
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

There are no entries in /var/log/pki-ca/debug at the time I attempt to run ipa cert-show or ipa host-disable.

#  certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
IX.TEST.COM IPA CA                                           CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u

Version 2.0 was installed fresh on F15, then upgraded to 2.1.1 later.

Does this help?
Comment 4 Sigbjorn Lie 2011-09-27 19:54:43 UTC 
These are the apache log lines that correspond to # ipa host-disable <hostname, and # ipa cert-show <serialno>. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist.

I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers.

Should that file contain an alias and proxy rules for /ca/ ?


error_log:
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin.COM: ping(): SUCCESS
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin.COM: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin.COM: ping(): SUCCESS
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin.COM: cert_show(u'268369923'): CertificateOperationError

access_log:
192.168.210.20 - admin.COM [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin.COM [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360
192.168.210.20 - admin.COM [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin.COM [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360
Comment 5 Jenny Severance 2011-09-27 20:20:08 UTC 
This was experienced once in QE after an update, I believe it was around the time that this for fixed ...
https://bugzilla.redhat.com/show_bug.cgi?id=726526
Comment 6 Sigbjorn Lie 2011-09-27 20:53:27 UTC 
The patch mentioned in that bug seem to be applied in the version running on my IPA servers.
Comment 7 Dmitri Pal 2011-09-27 22:25:39 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1889
Comment 8 Jenny Severance 2011-10-06 16:18:01 UTC 
From upstream ticket ::

There are three files that need to be addressed.

On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is

/var/lib/pki-ca/conf/server.xml

It needs the addition:

+ <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

You can place it around line 281, above the comment for the line <Engine name="Catalina" defaultHost="localhost">

Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml

For each of the filter entries it needs the code addition below:

    <init-param>

        <param-name>proxy_port</param-name> <param-value>443</param-value>

    </init-param>

+ <init-param> + <param-name>proxy_port</param-name> + <param-value>443</param-value> + </init-param>

    <init-param>

        <param-name>active</param-name> <param-value>true</param-value>

    </init-param>

    </filter>

The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d


Additional change required:

/var/lib/pki-ca/conf/CS.cfg

http.port=8080 https.port=8443
Comment 9 Martin Kosek 2011-10-14 06:54:56 UTC 
Fixed upstream:

master:
f3ca0618c27df93e9a8836bead7d881301240945
12cc78caf6654e1e4b00d19b2ad55c7db7883edb
ae65c0193271b70929f8d011f2a1aa5dff99f426

ipa-2-1: 
8cfddc3a0fc2f59ae57b6fb601c552b91fec480b
f30924decd4fd43d41bf747dedbd72100373b7a5