Bug 743955
Summary: | Cert error when accessing host in webui or cli | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1 | CC: | dpal, jgalipea, mkosek, nsoman, sigbjorn |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.2-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Do not document
|
Story Points: | --- |
Clone Of: | 741458 | Environment: | |
Last Closed: | 2011-12-06 18:42:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 741458 | ||
Bug Blocks: |
Description
Dmitri Pal
2011-10-06 15:10:51 UTC
From upstream ticket :: There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" /> You can place it around line 281, above the comment for the line <Engine name="Catalina" defaultHost="localhost"> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: <init-param> <param-name>proxy_port</param-name> <param-value>443</param-value> </init-param> + <init-param> + <param-name>proxy_port</param-name> + <param-value>443</param-value> + </init-param> <init-param> <param-name>active</param-name> <param-value>true</param-value> </init-param> </filter> The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Additional change required: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 fixed upstream: ipa-2-1: 8cfddc3a0fc2f59ae57b6fb601c552b91fec480b f30924decd4fd43d41bf747dedbd72100373b7a5 1) # cat /var/lib/pki-ca/conf/server.xml | grep "Connector port=\"9447\"" <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" /> 2) /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml :: all filters now have <init-param> <param-name>proxy_port</param-name> <param-value>443</param-value> </init-param> 3) ???????? 4) in /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 Need clarification on #3 .... Originally /etc/pki-ca/proxy.conf was going to be a symbolic link to /etc/httpd/conf.d/ipa-pki-proxy.conf. This is no longer the case, a copy is made of the file. Verifying that the file was created is enough. There should be 3 LocationMatch entries, one for ee, one for admin and one for agent. 3) # cat /etc/httpd/conf.d/ipa-pki-proxy.conf # VERSION 1 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:9447/ ProxyPassReverse ajp://localhost:9447/ </LocationMatch> # matches for admin port <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:9447/ ProxyPassReverse ajp://localhost:9447/ </LocationMatch> # matches for agent port and eeca port <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://localhost:9447/ ProxyPassReverse ajp://localhost:9447/ </LocationMatch> version: ipa-server-2.1.3-3.el6.x86_64 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |