Bug 743955 – Cert error when accessing host in webui or cli

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 743955 - Cert error when accessing host in webui or cli

Summary:	Cert error when accessing host in webui or cli

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	All Linux

Priority	unspecified Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	741458
Blocks:
	Show dependency tree / graph

Reported:	2011-10-06 11:10 EDT by Dmitri Pal
Modified:	2011-12-06 13:42 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	ipa-2.1.2-1.el6
Doc Type:	Bug Fix
Doc Text:	Do not document
Story Points:	---
Clone Of:	741458
Environment:
Last Closed:	2011-12-06 13:42:17 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-05 20:23:31 EST

Groups: None (edit)

Description Dmitri Pal 2011-10-06 11:10:51 EDT

+++ This bug was initially created as a clone of Bug #741458 +++

Description of problem:
I have several hosts that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues.
The error message I receive is:

    * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)


I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show <hostname>. 

I noticed that the hosts with an issue, is Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui or cli yields the same error message.

However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15.

Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui.

Version-Release number of selected component (if applicable):
2.1.1

How reproducible:
Every time.

Steps to Reproduce:
webui) Go to the host tab, click on a Fedora 15 joined host
cli) Run ipa host-disable <hostname>
  
Actual results:
Error: "Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)"

Expected results:
Modified/deleted host object

Additional info:

--- Additional comment from rcritten@redhat.com on 2011-09-26 22:46:57 EDT ---

The host-disable is trying to revoke the host certificate.

From the command line I would assume this also fails:

$ ipa cert-show <serial #>

This does a client authenticated HTTPS request to /ca/agent/ca/displayBySerial

You may want to check /var/log/pki-ca/debug to see if there are any errors logged there when this fails.

Does the nickname ipaCert exist when you do:

# certutil -L -d /etc/httpd/alias

--- Additional comment from jgalipea@redhat.com on 2011-09-27 08:45:25 EDT ---

Was this a fresh install of 2.1.1 or an upgrade from earlier version?

--- Additional comment from sigbjorn@nixtra.com on 2011-09-27 15:42:35 EDT ---

# ipa cert-show 268369923
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

There are no entries in /var/log/pki-ca/debug at the time I attempt to run ipa cert-show or ipa host-disable.

#  certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
IX.TEST.COM IPA CA                                           CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u

Version 2.0 was installed fresh on F15, then upgraded to 2.1.1 later.

Does this help?

--- Additional comment from sigbjorn@nixtra.com on 2011-09-27 15:54:43 EDT ---

These are the apache log lines that correspond to # ipa host-disable <hostname, and # ipa cert-show <serialno>. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist.

I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers.

Should that file contain an alias and proxy rules for /ca/ ?


error_log:
[Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin@IX.TEST.COM: ping(): SUCCESS
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin@IX.TEST.COM: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError
[Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin@IX.TEST.COM: ping(): SUCCESS
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial'
[Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca
[Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin@IX.TEST.COM: cert_show(u'268369923'): CertificateOperationError

access_log:
192.168.210.20 - admin@IX.TEST.COM [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin@IX.TEST.COM [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360
192.168.210.20 - admin@IX.TEST.COM [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259
192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314
192.168.210.20 - admin@IX.TEST.COM [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360

--- Additional comment from jgalipea@redhat.com on 2011-09-27 16:20:08 EDT ---

This was experienced once in QE after an update, I believe it was around the time that this for fixed ...
https://bugzilla.redhat.com/show_bug.cgi?id=726526

--- Additional comment from sigbjorn@nixtra.com on 2011-09-27 16:53:27 EDT ---

The patch mentioned in that bug seem to be applied in the version running on my IPA servers.

--- Additional comment from dpal@redhat.com on 2011-09-27 18:25:39 EDT ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1889

Comment 1 Jenny Galipeau 2011-10-06 12:18:56 EDT

From upstream ticket ::

There are three files that need to be addressed.

On the tomcat side, the files are in the Tomcat instance managed by IPA in
/var/lib/pki-ca. The first is

/var/lib/pki-ca/conf/server.xml

It needs the addition:

+ <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

You can place it around line 281, above the comment for the line <Engine
name="Catalina" defaultHost="localhost">

Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml

For each of the filter entries it needs the code addition below:

    <init-param>

        <param-name>proxy_port</param-name> <param-value>443</param-value>

    </init-param>

+ <init-param> + <param-name>proxy_port</param-name> +
<param-value>443</param-value> + </init-param>

    <init-param>

        <param-name>active</param-name> <param-value>true</param-value>

    </init-param>

    </filter>

The third change is creating a symlink to /etc/pki-ca/proxy.conf in the
directory /etc/httpd/conf.d


Additional change required:

/var/lib/pki-ca/conf/CS.cfg

http.port=8080 https.port=8443

Comment 2 Rob Crittenden 2011-10-07 16:41:57 EDT

fixed upstream:

ipa-2-1:
8cfddc3a0fc2f59ae57b6fb601c552b91fec480b
f30924decd4fd43d41bf747dedbd72100373b7a5

Comment 4 Jenny Galipeau 2011-10-26 13:02:59 EDT

1) # cat /var/lib/pki-ca/conf/server.xml | grep "Connector port=\"9447\""
    <Connector port="9447" protocol="AJP/1.3" redirectPort="9444" />

2)  /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml  ::  all filters now have 

       <init-param>
            <param-name>proxy_port</param-name>
            <param-value>443</param-value>
        </init-param>

3)  ????????

4) in /var/lib/pki-ca/conf/CS.cfg

http.port=8080
https.port=8443


Need clarification on #3 ....

Comment 5 Rob Crittenden 2011-10-26 13:46:13 EDT

Originally /etc/pki-ca/proxy.conf was going to be a symbolic link to /etc/httpd/conf.d/ipa-pki-proxy.conf. This is no longer the case, a copy is made of the file.

Verifying that the file was created is enough. There should be 3 LocationMatch entries, one for ee, one for admin and one for agent.

Comment 6 Jenny Galipeau 2011-10-26 13:57:23 EDT


3) # cat /etc/httpd/conf.d/ipa-pki-proxy.conf
# VERSION 1 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>


version:
ipa-server-2.1.3-3.el6.x86_64

Comment 7 Martin Kosek 2011-10-31 16:32:56 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 8 errata-xmlrpc 2011-12-06 13:42:17 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.