(Fedora 17) PKI-RA fails to start after install
by Brian Henson
Hello all,
When I try to configure the RA subsystem after installing it I get this
error.
Installation information recorded in /var/log/pki-ra-install.log.
[debug] run_command(/bin/systemctl restart pki-rad(a)pki-ra.service)
[error] FAILED run_command("/bin/systemctl restart pki-rad(a)pki-ra.service"),
exit status=1 output="Job failed. See system journal and 'systemctl status'
for details."
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://
(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr
After configuration, the server can be operated by the command:
/bin/systemctl restart pki-rad(a)pki-ra.service
Anyone know how to fix this? I get it for the TPS module as well.
Thanks
Brian Henson
11 years, 6 months
Dogtag User Certs setup and OCSP Signing
by Chris Grijalva
So far attempts to setup user certs using Dogtag CA fail, while self-signed Client Certificates work fine.
The end goal is to have tomcat pass a user cert to an application, which will authenticate and bypass the initial login screen.
The details,
Dogtag 9.0 installed on a CentOS 6.4 server
Server cert is set up correctly in the local keystore and the tomcat server.xml is configured
<Connector SSLEnabled="true"
maxThreads="150"
maxSpareThreads="75"
minSpareThreads="25"
acceptCount="100"
clientAuth="true"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
URIEncoding="UTF-8"
keyAlias="tomcat"
keystoreFile="/opt/SSL-keystore.jks"
keystorePass="PKI-server-cert"
keystoreType="JKS"
truststoreFile="/opt/SSL-truststore.p12"
truststorePass="PKI-CA-cert"
truststoreType="PKCS12"
port="8443"
scheme="https"
secure="true"
sslProtocol="TLS"/>
This works correctly with a self-signed user cert, the browser requests a user cert before displaying the initial login screen.
The next step is to create a truststore entry referencing Dogtag's CA certificate and user cert.
Searching the web for dogtag user certs, openssl and Fedora/user documentation has not yielded any detailed User Guides or user notes.
Both the Admin and Agent Guide were useful for defining admin and agent usage, but did not provide detailed information on importing a cert
authority into a truststore or using the truststore to sign an X509 client certificate.
Once the client certificate handshake is established, can tomcat parse the certificate or would apache mod_SSL be a better choice?
Finally can/should the application use an openssl ocsp call to validate the certificate?
At this point, I'm not knowledgeable enough with PKI and Dogtag to define a workable solution.
Have I missed some essential documentation?
Has anyone found or written any Dogtag User Notes or have references to Dogtag usage?
Any recommendations would be appreciated.
Chris Grijalva
Configuration Management | Data Fusion & Analytics
Sotera Defense Solutions, Inc.
o: 512.814.0186
c: 713.291.2215
f: 512.814.0308
e: chris.grijalva(a)soteradefense.com<mailto:firstinitialsurname@potomacfusion.com>
w: www.soteradefense.com<http://www.soteradefense.com>
Potomac Fusion, LLC is now the Data Fusion & Analytics business of Sotera Defense Solutions
11 years, 7 months
End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2)
by Fabian Bertholm
Hi,
I got a message from my smartard dealer that the Gemalto TOP IM FIPS CY2
(Cyberflex Access 64k v2) ist now EOL.
Which other smartcard is officially supported? I need something with at
least 64k. Anyone with an idea?
best regards
Fabian
11 years, 7 months
10.0.2 CA Instllation failed on LDAP and CA chain
by pkiadmin@nym.hush.com
Hello list memebers,
I have been trying to get Dogtag 10.0.2 on fc18 running but
pkispawn concludes with Installation Failed.
Here is what I see:
pkispawn -s CA -f /home/pkiadmin/CA.cfg
Loading deployment configuration from /home/pkiadmin/CA.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
Installation failed.
The interactive pkispawn was also tried but this gives the same
fail results.
In /var/log/pki/pki-tomcat/ca/system I see the following:
6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [3] [3]
Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a
PKCS#11 certificate
6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [13] [3]
authz instance DirAclAuthz initialization failed and skipped,
error=Property internaldb.ldapconn.port missing value
In /var/log/pki/pki-tomcat/catalina.out I see the above 2 errors
preceded by CMS WARNING: FAILURE:
In /etc/pki/default.cfg I put pki_ds_hostname=hostname and made
sure the pki_ds_port was correct. Oh yes, the remote DS389 was
running and accessible.
When I look at services there is a pki-tomcatd@pki-tomcat running
and I can restart it without problems. I can alo get to the "End
USer Services" page on 8080. None of the other ports connect.
Thanks in advance.
11 years, 7 months
Addendum: 10.0.2 CA Instllation failed on LDAP and CA chain
by Buckingham
Hello,
After further investigation into the failing setup/configuration, I
found that /etc/pki/pki-tomcat/ca/CS.cfg has no values set for the
following:
authz.instance.DirAclAuthz.ldap.basedn
authz.instance.DirAclAuthz.ldap.ldapconn.host
authz.instance.DirAclAuthz.ldap.ldapconn.port
Also authz.instance.DirAclAuthz.ldap.ldapauth.bindDN does not set
the DN that I entered during interactive setup.
My question is: why do these variables in the CS.cfg fail to get
set during both interactinve and non-interactive installations?
Regards
11 years, 7 months
回复:iphone's scep function with dogtag
by 骷髅猫
Hi All
More details:
I made a profile include SCEP settings,apply to iphone 4s.
During the installation, it try to enroll the cert and report such error "invalid response"
The scep server was tested by SSCEP client.
Thanks
------------------ 原始邮件 ------------------
发件人: "骷髅猫"<sbaa(a)vip.qq.com>;
发送时间: 2013年5月3日(星期五) 晚上6:20
收件人: "Pki-users"<Pki-users(a)redhat.com>;
主题: iphone's scep function with dogtag
Hi All
Who tried the SCEP feature with iphone?
I tested on iphone 4s, it return "invalid response".
Thanks
sbaa
11 years, 7 months
Announcing the release of Dogtag 10.0.2
by Ade Lee
The Dogtag team is proud to announce the second errata build for
Dogtag v10.0.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repo. Please try it out and provide karma to move them to the F18 and
F19 stable repos.
Daily developer builds for Fedora 17, 18 and 19 are available at
http://nkinder.fedorapeople.org/dogtag-devel/fedora/
== Build Versions ==
pki-core-10.0.2-2
pki-ra-10.0.2-2
pki-tps-10.0.2-2
dogtag-pki-10.0.2-1
dogtag-pki-theme-10.0.2-1
pki-console-10.0.2-2
== Highlights since Dogtag v. 10.0.1 ==
* A new Python client framework has been written to connect to the
restful interface on the java subsystems. This interface was used
for some installation functionality and will continue to be expanded.
* pkispawn and pkidestroy were modified to use the new Python client
framework and the dependency on jython was eliminated.
* The installation interfaces were changed so that most of the
installation interactions take place over the admin interface.
* New command line parameters have been added to pkidestroy to provide
the username and password of the security domain administrator to update
the security domain. Formerly, no credentials were required because we
used the subsystem certificate of the subsystem for authentication. The
new method provides better auditing as to exactly who is de-registering
and removing a subsystem. As such, use of the new options is
recommended, and will be made mandatory in a future release.
* Although it is possible to run Dogtag 9 style instances on Dogtag 10,
these instances do not have the required configuration to expose the
RESTful interface. A new servlet has been added to return 501 (Not
implemented) on these instances when the REST URLs are accessed. This
is only applicable on Fedora 18 (See Fedora 19 note below).
* A new interactive mode has been added to pkispawn and pkidestroy. In
this mode, users are prompted for details in order to set up the most
basic servers. Any customizations would still need to be done through
configuration files. Interactive mode is an excellent way for users to
set up a server and become familiar with Dogtag.
* Support has been added for the random generation of serial numbers for
certificates issued. More details about this feature and how to enable
it can be found here:
http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers
* Nonces are used in Dogtag to prevent cross-site request forgery and
replay attack, but they were stored in a global list. To prevent
possible collisions with other user's nonces, they are now stored in
each user's session.
* Previously, session IDs were generated using /dev/random, which may
block under certain circumstances, making server startup slow. To avoid
this, the server configuration has been changed to use PKCS11PRNG
provided by JSS.
* A new upgrade framework has been added to allow instances to be
automatically upgraded when new packages are installed. This framework
will be used to eventually remove the need for migrations between
releases. The upgrade scripts are invoked by postinstall scriptlets in
the pki-base and pki-server packages. On completing an upgrade, users
should check the upgrade logs in /var/log/pki/pki-upgrade-*.log
and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade
scripts (pki-upgrade and pki-server-upgrade) can also be run manually.
Additional troubleshooting information can be found at:
http://pki.fedoraproject.org/wiki/Upgrade
* New CLI has been added to simplify client certificate management
including importing and trusting CA certificates.
* Previously, the pki CLI tool used the same parameter (-w) to specify
both user and client certificate database passwords. The CLI has been
modified to use a new parameter (-c) for the database password, and -w
for the user password.
* Multiple additional fixes to pkispawn, pkidestroy, pki and their man
pages.
== Notes on Fedora 19 ==
Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will
therefore no longer work on Fedora 19. These instances need to be
migrated to Dogtag 10.
To prevent inadvertently disabling Dogtag instances, code has been added
to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details
on how to upgrade Dogtag 9 instances and workarounds can be found at:
http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10
== Detailed Changes since Dogtag v. 10.0.1 ==
akoneru (23):
#191 Map REST exceptions to HTTP status codes
#217 CLI should display message on operations that complete with error
#290 Add hints to option descriptions for cert-find cli command
#383 Extend coverity tests to scan other subsystems (TPS, etc.)
#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues
#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set
#470 Prevent concurrent execution of pkispawn/pkidestroy
#471 Update man pages for interactive pkispawn/pkidestroy
#493 interpolation in pkispawn scripts should not apply to passwords
#502 Change pkidestroy "-w" option to require a password file
#507 Mark pki.conf as configuration file in RPM spec
#509 man page for pkispawn should be modified to specify
pki_ca_signing_subject_dn when setting up subordinate CA
#514 Clean up pkispawn output
#521 Separate python deployment engine from python deployment
scriptlets source code
#525 Incorrect info in pkispawn man page
#536 Catch keyboard interrupt
#542 Remove all "respawn()" logic from "pkispawn"
#543 Incorrect user-show usage.
#549 PKCS10Client tool throws java exception NoClassDefFoundError
#563 Use timeout in configuration script
#566 Mask sensitive parameters in archived config
#592 pkispawn not reporting the error message when exceptions are thrown
#593 Error caused by JSON Configuration result decoding when installing
CA clone
alee (9):
#232 add python binding for pkispawn/ pkidestroy
#419 REST interface for cert requests
#532 refactor pkispawn to use new python client
#546 Upgrade script for clone installation
#564 Rename base/deploy to base/server
#589 dependency needed for java-atk-wrapper in f19
#578 Rest API does not work on d9 -> d10 upgrade instances
#590 pki-base needs to deliver /var/log/pki
#597 Create 10.0.2 builds
awnuk (7):
#569 Port support for random certificate serial numbers to Dogtag 10
#570 Port patch allowing to support random certificate serial numbers
for system certificates to Dogtag 10
#579 Port patch allowing to clone CA with random serial number enabled.
#580 Port patch allowing to restart CA clone during configuration
change to random serial numbers.
#584 Port patch including system certificates with random serial
numbers in the certificate counter.
BZ 955784 - Correct Javascript inability to handle big numbers
BZ 951501 - Coorects key IDs miscalculated by Javascript
cfu (6):
BZ 929043 - serverCert.profile with SAN results in
SubjectAltNameException
BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing
Algorithm
BZ 904289 - Add ECC Support to Certificate Profiles
BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs
BZ 903401 - TMS: RSA token enrollment failed : public key decode error
#362 CMC ECC
edewata (24)
#190 REST interface for user-group membership.
#291 Fix forma of validityUnit option in cert-find command
#380 default install: part 2
#472 pkispawn should test DS info
#473 pkispawn should test security domain info
#474 Session-based nonces
#476 Limit username & password authentication
#477 Annotation for authentication methods
#491 Prompt CLI user on certificate warnings.
#497 Date format for cert-find
#498 [RFE] Add dates to cert-find output
#500 validityCount option returns 500 error
#501 Add cert status option to cert-find
#503 Dogtag 10: Security Domain Issues
#511 Add cert-request-show command.
#520 CLI returns 0 on error
#523 Add CLI option to capture HTTP data
#524 Tomcat blocks during startup
#535 python-requests compatibility problem
#541 Use FQDN instead of localhost in CLI
#544 Implement upgrade framework
#545 Upgrade script for random number generator
#553 pki.conf needs to be delivered by pki-base
#598 Upgrade script for JNI_JAR_DIR
jmagne (1):
#587 ipa-server-install crashes due to sslget error
mharmsen (7):
#409 Add pkispawn option to not copy the UI pieces (gifs, templates).
#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue
#517 Clean up theme dependencies
#518 Remove UI dependencies from pkispawn
#602 pkiconsole cannot find 'jss4.jar' on Fedora 19
BZ 947524 - Clone installation does not work over NAT
BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar
11 years, 7 months
回复: 回复: 回复: "SecurityDomain HTTPSAdmin URL not found " (solved)
by 骷髅猫
Hi Alee
I take some time to debug the perl cgi.
I found the error caused by decode method
after I change it, it works.
/sscep enroll -f sscep.conf -E 3des -S sha1
....
CN's of request and certificate matched!
./sscep: writing cert
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIBCjANBgkqhkiG9w0BAQsFADBHMSQwIgYDVQQKExtsb2Nh
bGRvbWFpbiBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2Vy
dGlmaWNhdGUwHhcNMTMwNTAyMTEwOTAwWhcNMTUwNDIyMTEwOTAwWjAXMRUwEwYD
VQQDEwwxMC42NC43OS4yMzQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOAV
TYAh2vWcLWys4AMGEs9qbUeg/IkG9R944fHnaR9+uwqA+cZVNwmOl/Qwvk3GINiS
JQKlhR1wxf4AHeCACtfN7fk+ckjOngx+PN4GLGwZyTAPSWEFCK7vzGqrFWyqAibL
eeKzhhXiWkoHqQYkOoboAKY2OEvHuwKDod5xT3q/AgMBAAGjgZowgZcwHwYDVR0j
BBgwFoAUs0FtabRcZ2tq6VfsBCXKQKzoWsAwRQYIKwYBBQUHAQEEOTA3MDUGCCsG
AQUFBzABhilodHRwOi8vbG9jYWxob3N0LmxvY2FsZG9tYWluOjgwODAvY2Evb2Nz
cDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MA0GCSqGSIb3DQEBCwUAA4IBAQBzRKjf0ebDVjhIOuYFhbE/Htful4oLtCcQI2sZ
xjr9uWUITEVZNCWONUJ2pZKT+9KefE8zCjRd8tliyKjUZOO4VYpO+TDfe4KsQMSe
2Lrd35g35iUXOhqi2IVXLjQT6mdEWuYKwIGRl98pyoLMz9MZKbLdnrGkhYZHxA9n
EMds+7VmYdw3orZDaD4UmMqZL6FfNazjTKK1VlOWDL75QeVGGv9lNXbWqB+EUAZp
U0mc/dip2R3wZRwygHE7cKs/lvheI9GkoQYLSLWzKcS2M2JiSOiwrEfi+zMWF71O
DRbD6S2b8tl8k/f9WCwgLgKisw3TKRyJV+FLb5LdapE7lMQi
-----END CERTIFICATE-----
./sscep: certificate written as ./local.crt
sorry , I didn't change the default value according to (http://pki.fedoraproject.org/wiki/SCEP_in_Dogtag#SSCEP_Configuration)
Because first time I use firefox's keymanager.
Thanks very much!
sbaa
------------------ 原始邮件 ------------------
发件人: "骷髅猫"<sbaa(a)vip.qq.com>;
发送时间: 2013年5月2日(星期四) 下午5:24
收件人: "alee"<alee(a)redhat.com>;
抄送: "Pki-users"<Pki-users(a)redhat.com>;
主题: 回复: 回复: 回复: [Pki-users] "SecurityDomain HTTPSAdmin URL not found "
Hi Alee
some update
I try another scep client sscep (https://github.com/certnanny/sscep)
got the same result:
./sscep: server returned status code 500
./sscep: mime_err: HTTP/1.1 500 Internal Server Error
Date: Thu, 02 May 2013 09:13:20 GMT
Server: Apache
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1
<h1>Software error:</h1>
<pre>Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.
</pre>
<p>
For help, please send mail to the webmaster (<a href="mailto:you@example.com">you(a)example.com</a>), giving this error message
and the time and date of the error.
</p>
./sscep: wrong (or missing) MIME content type
./sscep: error while sending message
I am not sure what version is stable and recommended.
Thanks
Sbaa
------------------ 原始邮件 ------------------
发件人: "骷髅猫"<sbaa(a)vip.qq.com>;
发送时间: 2013年4月30日(星期二) 下午2:33
收件人: "alee"<alee(a)redhat.com>;
抄送: "Pki-users"<Pki-users(a)redhat.com>;
主题: 回复: 回复: 回复: [Pki-users] "SecurityDomain HTTPSAdmin URL not found "
Hi Alee
I used firefox's keymanager plugin to do some simple test. Just connect to RA server and click next and next ,then encontered this error.
But I did't go through any source about pkiclient.cgi ,so I 'm not sure where introduce the file pkiclient.xml.
another question,
If the client request can choose some file which used by server cgi internally, is there any security risk?
Best Regards
sbaa
------------------ 原始邮件 ------------------
发件人: "alee"<alee(a)redhat.com>;
发送时间: 2013年4月30日(星期二) 中午1:06
收件人: "骷髅猫"<sbaa(a)vip.qq.com>;
抄送: "Pki-users"<Pki-users(a)redhat.com>;
主题: Re: 回复: 回复: [Pki-users] "SecurityDomain HTTPSAdmin URL not found "
I don't see anything in the code about pkiclient.xml.
Can you detail exactly what you did to test SCEP?
Thanks,
Ade
On Sun, 2013-04-28 at 15:13 +0800, 骷髅猫 wrote:
> Hi Alee
>
>
> Thank you, I finished the configuration for RA server by disable
> SElinux
> But when I test the SCEP feature, I got such error:
> In error log:
> [Sun Apr 28 03:05:56.891164 2013] [:error] [pid 1822:tid
> 140696560207616] [Sun Apr 28 03:05:56 2013] -e: Could not find
> pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/
> at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.\n
>
>
> on firefox:
> Software error:
> Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.
>
> For help, please send mail to the webmaster (you(a)example.com), giving
> this error message and the time and date of the error.
>
>
>
>
> Thanks
> sbaa
> ------------------ 原始邮件 ------------------
> 发件人: "alee"<alee(a)redhat.com>;
> 发送时间: 2013年4月28日(星期天) 下午2:00
> 收件人: "骷髅猫"<sbaa(a)vip.qq.com>;
> 抄送: "Pki-users"<Pki-users(a)redhat.com>;
> 主题: Re: 回复: [Pki-users] "SecurityDomain HTTPS Admin URL not found
> "
>
>
> I ran into the same problem:
>
> The one you want is https://localhost.domain:8443
>
> I resolved this by setting selinux in permissive mode. I will file a
> bug against selinux policy on Monday.
>
> Ade
>
> On Sun, 2013-04-28 at 02:27 +0800, 骷髅猫 wrote:
> > Hi alee
> >
> >
> > I tried following urls
> >
> >
> > https://localhost.localdomain:8443
> > https://localhost.localdomain:8443/ca
> > http://localhost.localdomain:8080
> > http://localhost.localdomain:8080/ca
> >
> >
> > but all failed.
> >
> >
> > and i found some info in error log (/var/log/pki-ra/error_log )
> > GET /ca/admin/ca/getStatus HTTP/1.0
> >
> >
> > port: 8443
> > addr='localhost.localdomain'
> > family='2'
> > IP='127.0.0.1'
> > exit after PR_Connect with error -5985:
> > GET /ca/admin/ca/getStatus HTTP/1.0
> >
> >
> > port: 9445
> > addr='localhost.localdomain'
> > family='2'
> > IP='127.0.0.1'
> > exit after PR_Connect with error -5961:
> >
> >
> > ------------------ 原始邮件 ------------------
> > 发件人: "Ade Lee"<alee(a)redhat.com>;
> > 发送时间: 2013年4月28日(星期天) 凌晨1:04
> > 收件人: "骷髅猫"<sbaa(a)vip.qq.com>;
> > 抄送: "Pki-users"<Pki-users(a)redhat.com>;
> > 主题: Re: [Pki-users] "Security Domain HTTPS Admin URL not found "
> >
> >
> > What value are you putting in for your security domain?
> >
> > Ade
> > On Sat, 2013-04-27 at 23:39 +0800, 骷髅猫 wrote:
> > > Hi All
> > > I'am a new user of dogtag.
> > > I try the latest build 10.0.2.
> > > I install ca server success,but when I configure a ra subsystem,
> > >
> > >
> > > url :
> > > https://localhost.localdomain:12890/ra/admin/console/config/wizard
> > >
> > >
> > > it alwarys show error "Security Domain HTTPS Admin URL not found"
> > and
> > > " Create a New Security Domai" cannot be choose.
> > > any ideas?
> > >
> > >
> > > thanks
> > >
> > >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
> > .
> >
>
>
> .
>
.
11 years, 7 months
回复: 回复: 回复: "SecurityDomain HTTPSAdmin URL not found "
by 骷髅猫
Hi Alee
some update
I try another scep client sscep (https://github.com/certnanny/sscep)
got the same result:
./sscep: server returned status code 500
./sscep: mime_err: HTTP/1.1 500 Internal Server Error
Date: Thu, 02 May 2013 09:13:20 GMT
Server: Apache
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1
<h1>Software error:</h1>
<pre>Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.
</pre>
<p>
For help, please send mail to the webmaster (<a href="mailto:you@example.com">you(a)example.com</a>), giving this error message
and the time and date of the error.
</p>
./sscep: wrong (or missing) MIME content type
./sscep: error while sending message
I am not sure what version is stable and recommended.
Thanks
Sbaa
------------------ 原始邮件 ------------------
发件人: "骷髅猫"<sbaa(a)vip.qq.com>;
发送时间: 2013年4月30日(星期二) 下午2:33
收件人: "alee"<alee(a)redhat.com>;
抄送: "Pki-users"<Pki-users(a)redhat.com>;
主题: 回复: 回复: 回复: [Pki-users] "SecurityDomain HTTPSAdmin URL not found "
Hi Alee
I used firefox's keymanager plugin to do some simple test. Just connect to RA server and click next and next ,then encontered this error.
But I did't go through any source about pkiclient.cgi ,so I 'm not sure where introduce the file pkiclient.xml.
another question,
If the client request can choose some file which used by server cgi internally, is there any security risk?
Best Regards
sbaa
------------------ 原始邮件 ------------------
发件人: "alee"<alee(a)redhat.com>;
发送时间: 2013年4月30日(星期二) 中午1:06
收件人: "骷髅猫"<sbaa(a)vip.qq.com>;
抄送: "Pki-users"<Pki-users(a)redhat.com>;
主题: Re: 回复: 回复: [Pki-users] "SecurityDomain HTTPSAdmin URL not found "
I don't see anything in the code about pkiclient.xml.
Can you detail exactly what you did to test SCEP?
Thanks,
Ade
On Sun, 2013-04-28 at 15:13 +0800, 骷髅猫 wrote:
> Hi Alee
>
>
> Thank you, I finished the configuration for RA server by disable
> SElinux
> But when I test the SCEP feature, I got such error:
> In error log:
> [Sun Apr 28 03:05:56.891164 2013] [:error] [pid 1822:tid
> 140696560207616] [Sun Apr 28 03:05:56 2013] -e: Could not find
> pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/
> at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.\n
>
>
> on firefox:
> Software error:
> Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.
>
> For help, please send mail to the webmaster (you(a)example.com), giving
> this error message and the time and date of the error.
>
>
>
>
> Thanks
> sbaa
> ------------------ 原始邮件 ------------------
> 发件人: "alee"<alee(a)redhat.com>;
> 发送时间: 2013年4月28日(星期天) 下午2:00
> 收件人: "骷髅猫"<sbaa(a)vip.qq.com>;
> 抄送: "Pki-users"<Pki-users(a)redhat.com>;
> 主题: Re: 回复: [Pki-users] "SecurityDomain HTTPS Admin URL not found
> "
>
>
> I ran into the same problem:
>
> The one you want is https://localhost.domain:8443
>
> I resolved this by setting selinux in permissive mode. I will file a
> bug against selinux policy on Monday.
>
> Ade
>
> On Sun, 2013-04-28 at 02:27 +0800, 骷髅猫 wrote:
> > Hi alee
> >
> >
> > I tried following urls
> >
> >
> > https://localhost.localdomain:8443
> > https://localhost.localdomain:8443/ca
> > http://localhost.localdomain:8080
> > http://localhost.localdomain:8080/ca
> >
> >
> > but all failed.
> >
> >
> > and i found some info in error log (/var/log/pki-ra/error_log )
> > GET /ca/admin/ca/getStatus HTTP/1.0
> >
> >
> > port: 8443
> > addr='localhost.localdomain'
> > family='2'
> > IP='127.0.0.1'
> > exit after PR_Connect with error -5985:
> > GET /ca/admin/ca/getStatus HTTP/1.0
> >
> >
> > port: 9445
> > addr='localhost.localdomain'
> > family='2'
> > IP='127.0.0.1'
> > exit after PR_Connect with error -5961:
> >
> >
> > ------------------ 原始邮件 ------------------
> > 发件人: "Ade Lee"<alee(a)redhat.com>;
> > 发送时间: 2013年4月28日(星期天) 凌晨1:04
> > 收件人: "骷髅猫"<sbaa(a)vip.qq.com>;
> > 抄送: "Pki-users"<Pki-users(a)redhat.com>;
> > 主题: Re: [Pki-users] "Security Domain HTTPS Admin URL not found "
> >
> >
> > What value are you putting in for your security domain?
> >
> > Ade
> > On Sat, 2013-04-27 at 23:39 +0800, 骷髅猫 wrote:
> > > Hi All
> > > I'am a new user of dogtag.
> > > I try the latest build 10.0.2.
> > > I install ca server success,but when I configure a ra subsystem,
> > >
> > >
> > > url :
> > > https://localhost.localdomain:12890/ra/admin/console/config/wizard
> > >
> > >
> > > it alwarys show error "Security Domain HTTPS Admin URL not found"
> > and
> > > " Create a New Security Domai" cannot be choose.
> > > any ideas?
> > >
> > >
> > > thanks
> > >
> > >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
> > .
> >
>
>
> .
>
.
11 years, 7 months
