Bug 743955

Summary: Cert error when accessing host in webui or cli
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: dpal, jgalipea, mkosek, nsoman, sigbjorn
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-2.1.2-1.el6 Doc Type: Bug Fix
Doc Text:
Do not document
 Story Points: ---
Clone Of: 741458 Environment:
Last Closed: 2011-12-06 18:42:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 741458    
Bug Blocks:    

Description Dmitri Pal 2011-10-06 15:10:51 UTC 
+++ This bug was initially created as a clone of Bug #741458 +++

Description of problem:
I have several hosts that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues.
The error message I receive is:

    * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)


I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show <hostname>. 

I noticed that the hosts with an issue, is Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui or cli yields the same error message.

However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15.

Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui.

Version-Release number of selected component (if applicable):
2.1.1

How reproducible:
Every time.

Steps to Reproduce:
webui) Go to the host tab, click on a Fedora 15 joined host
cli) Run ipa host-disable <hostname>
  
Actual results:
Error: "Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)"

Expected results:
Modified/deleted host object

Additional info:

--- Additional comment from rcritten on 2011-09-26 22:46:57 EDT ---

The host-disable is trying to revoke the host certificate.

From the command line I would assume this also fails:

$ ipa cert-show <serial #>

This does a client authenticated HTTPS request to /ca/agent/ca/displayBySerial

You may want to check /var/log/pki-ca/debug to see if there are any errors logged there when this fails.

Does the nickname ipaCert exist when you do:

# certutil -L -d /etc/httpd/alias

--- Additional comment from jgalipea on 2011-09-27 08:45:25 EDT ---

Was this a fresh install of 2.1.1 or an upgrade from earlier version?

--- Additional comment from sigbjorn on 2011-09-27 15:42:35 EDT ---

# ipa cert-show 268369923
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

There are no entries in /var/log/pki-ca/debug at the time I attempt to run ipa cert-show or ipa host-disable.

#  certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
IX.TEST.COM IPA CA                                           CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u

Version 2.0 was installed fresh on F15, then upgraded to 2.1.1 later.

Does this help?

--- Additional comment from sigbjorn on 2011-09-27 15:54:43 EDT ---

These are the apache log lines that correspond to # ipa host-disable <hostname, and # ipa cert-show <serialno>. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist.

I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers.

Should that file contain an alias and proxy rules for /ca/ ?


error_log:
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin.COM: ping(): SUCCESS
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin.COM: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin.COM: ping(): SUCCESS
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin.COM: cert_show(u'268369923'): CertificateOperationError

access_log:
192.168.210.20 - admin.COM [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin.COM [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360
192.168.210.20 - admin.COM [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin.COM [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360

--- Additional comment from jgalipea on 2011-09-27 16:20:08 EDT ---

This was experienced once in QE after an update, I believe it was around the time that this for fixed ...
https://bugzilla.redhat.com/show_bug.cgi?id=726526

--- Additional comment from sigbjorn on 2011-09-27 16:53:27 EDT ---

The patch mentioned in that bug seem to be applied in the version running on my IPA servers.

--- Additional comment from dpal on 2011-09-27 18:25:39 EDT ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1889
Comment 1 Jenny Severance 2011-10-06 16:18:56 UTC 
From upstream ticket ::

There are three files that need to be addressed.

On the tomcat side, the files are in the Tomcat instance managed by IPA in
/var/lib/pki-ca. The first is

/var/lib/pki-ca/conf/server.xml

It needs the addition:

+ <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

You can place it around line 281, above the comment for the line <Engine
name="Catalina" defaultHost="localhost">

Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml

For each of the filter entries it needs the code addition below:

    <init-param>

        <param-name>proxy_port</param-name> <param-value>443</param-value>

    </init-param>

+ <init-param> + <param-name>proxy_port</param-name> +
<param-value>443</param-value> + </init-param>

    <init-param>

        <param-name>active</param-name> <param-value>true</param-value>

    </init-param>

    </filter>

The third change is creating a symlink to /etc/pki-ca/proxy.conf in the
directory /etc/httpd/conf.d


Additional change required:

/var/lib/pki-ca/conf/CS.cfg

http.port=8080 https.port=8443
Comment 2 Rob Crittenden 2011-10-07 20:41:57 UTC 
fixed upstream:

ipa-2-1:
8cfddc3a0fc2f59ae57b6fb601c552b91fec480b
f30924decd4fd43d41bf747dedbd72100373b7a5
Comment 4 Jenny Severance 2011-10-26 17:02:59 UTC 
1) # cat /var/lib/pki-ca/conf/server.xml | grep "Connector port=\"9447\""
    <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

2)  /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml  ::  all filters now have 

       <init-param>
            <param-name>proxy_port</param-name>
            <param-value>443</param-value>
        </init-param>

3)  ????????

4) in /var/lib/pki-ca/conf/CS.cfg

http.port=8080
https.port=8443


Need clarification on #3 ....
Comment 5 Rob Crittenden 2011-10-26 17:46:13 UTC 
Originally /etc/pki-ca/proxy.conf was going to be a symbolic link to /etc/httpd/conf.d/ipa-pki-proxy.conf. This is no longer the case, a copy is made of the file.

Verifying that the file was created is enough. There should be 3 LocationMatch entries, one for ee, one for admin and one for agent.
Comment 6 Jenny Severance 2011-10-26 17:57:23 UTC 

3) # cat /etc/httpd/conf.d/ipa-pki-proxy.conf
# VERSION 1 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>


version:
ipa-server-2.1.3-3.el6.x86_64
Comment 7 Martin Kosek 2011-10-31 20:32:56 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 8 errata-xmlrpc 2011-12-06 18:42:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html