RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 743955 - Cert error when accessing host in webui or cli
Summary: Cert error when accessing host in webui or cli
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On: 741458
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-06 15:10 UTC by Dmitri Pal
Modified: 2011-12-06 18:42 UTC (History)
5 users (show)

Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of: 741458
Environment:
Last Closed: 2011-12-06 18:42:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Dmitri Pal 2011-10-06 15:10:51 UTC 
+++ This bug was initially created as a clone of Bug #741458 +++

Description of problem:
I have several hosts that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues.
The error message I receive is:

    * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)


I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show <hostname>. 

I noticed that the hosts with an issue, is Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui or cli yields the same error message.

However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15.

Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui.

Version-Release number of selected component (if applicable):
2.1.1

How reproducible:
Every time.

Steps to Reproduce:
webui) Go to the host tab, click on a Fedora 15 joined host
cli) Run ipa host-disable <hostname>
  
Actual results:
Error: "Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)"

Expected results:
Modified/deleted host object

Additional info:

--- Additional comment from rcritten on 2011-09-26 22:46:57 EDT ---

The host-disable is trying to revoke the host certificate.

From the command line I would assume this also fails:

$ ipa cert-show <serial #>

This does a client authenticated HTTPS request to /ca/agent/ca/displayBySerial

You may want to check /var/log/pki-ca/debug to see if there are any errors logged there when this fails.

Does the nickname ipaCert exist when you do:

# certutil -L -d /etc/httpd/alias

--- Additional comment from jgalipea on 2011-09-27 08:45:25 EDT ---

Was this a fresh install of 2.1.1 or an upgrade from earlier version?

--- Additional comment from sigbjorn on 2011-09-27 15:42:35 EDT ---

# ipa cert-show 268369923
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

There are no entries in /var/log/pki-ca/debug at the time I attempt to run ipa cert-show or ipa host-disable.

#  certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
IX.TEST.COM IPA CA                                           CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u

Version 2.0 was installed fresh on F15, then upgraded to 2.1.1 later.

Does this help?

--- Additional comment from sigbjorn on 2011-09-27 15:54:43 EDT ---

These are the apache log lines that correspond to # ipa host-disable <hostname, and # ipa cert-show <serialno>. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist.

I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers.

Should that file contain an alias and proxy rules for /ca/ ?


error_log:
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin.COM: ping(): SUCCESS
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin.COM: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin.COM: ping(): SUCCESS
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin.COM: cert_show(u'268369923'): CertificateOperationError

access_log:
192.168.210.20 - admin.COM [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin.COM [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360
192.168.210.20 - admin.COM [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin.COM [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360

--- Additional comment from jgalipea on 2011-09-27 16:20:08 EDT ---

This was experienced once in QE after an update, I believe it was around the time that this for fixed ...
https://bugzilla.redhat.com/show_bug.cgi?id=726526

--- Additional comment from sigbjorn on 2011-09-27 16:53:27 EDT ---

The patch mentioned in that bug seem to be applied in the version running on my IPA servers.

--- Additional comment from dpal on 2011-09-27 18:25:39 EDT ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1889
Comment 1 Jenny Severance 2011-10-06 16:18:56 UTC 
From upstream ticket ::

There are three files that need to be addressed.

On the tomcat side, the files are in the Tomcat instance managed by IPA in
/var/lib/pki-ca. The first is

/var/lib/pki-ca/conf/server.xml

It needs the addition:

+ <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

You can place it around line 281, above the comment for the line <Engine
name="Catalina" defaultHost="localhost">

Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml

For each of the filter entries it needs the code addition below:

    <init-param>

        <param-name>proxy_port</param-name> <param-value>443</param-value>

    </init-param>

+ <init-param> + <param-name>proxy_port</param-name> +
<param-value>443</param-value> + </init-param>

    <init-param>

        <param-name>active</param-name> <param-value>true</param-value>

    </init-param>

    </filter>

The third change is creating a symlink to /etc/pki-ca/proxy.conf in the
directory /etc/httpd/conf.d


Additional change required:

/var/lib/pki-ca/conf/CS.cfg

http.port=8080 https.port=8443
Comment 2 Rob Crittenden 2011-10-07 20:41:57 UTC 
fixed upstream:

ipa-2-1:
8cfddc3a0fc2f59ae57b6fb601c552b91fec480b
f30924decd4fd43d41bf747dedbd72100373b7a5
Comment 4 Jenny Severance 2011-10-26 17:02:59 UTC 
1) # cat /var/lib/pki-ca/conf/server.xml | grep "Connector port=\"9447\""
    <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

2)  /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml  ::  all filters now have 

       <init-param>
            <param-name>proxy_port</param-name>
            <param-value>443</param-value>
        </init-param>

3)  ????????

4) in /var/lib/pki-ca/conf/CS.cfg

http.port=8080
https.port=8443


Need clarification on #3 ....
Comment 5 Rob Crittenden 2011-10-26 17:46:13 UTC 
Originally /etc/pki-ca/proxy.conf was going to be a symbolic link to /etc/httpd/conf.d/ipa-pki-proxy.conf. This is no longer the case, a copy is made of the file.

Verifying that the file was created is enough. There should be 3 LocationMatch entries, one for ee, one for admin and one for agent.
Comment 6 Jenny Severance 2011-10-26 17:57:23 UTC 

3) # cat /etc/httpd/conf.d/ipa-pki-proxy.conf
# VERSION 1 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>


version:
ipa-server-2.1.3-3.el6.x86_64
Comment 7 Martin Kosek 2011-10-31 20:32:56 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 8 errata-xmlrpc 2011-12-06 18:42:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.