[Freeipa-users] ipa-client-install (Invalid Request) - no Host-Certificate

[Christof Schulze]

Hello all,

i am running a FreeIPA server on CentOS for 2 years now with mostly
Ubuntu 12.04 and some Fedora 20 clients.

Since one week (or more) it is not possible any more to install new
clients (whether ubuntu nor fedora). The Host gets created on the
IPA-server but it can not create/exchange a Host-Certificate.

The only thing happened (except regular updates) was a complete
certificate renewal with no obvious problems some weeks ago.

Web-interface and certmonger show the same error.

ipa-getcert list on the new Hosts:
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: FAILURE (Invalid
Request)).
        stuck: yes


Debug Log from server as Attachment


C. Schuze

[16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for 
servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz 
mgr: {2}.
[16/Oct/2014:10:15:02][TP-Processor3]: according to ccMode, authorization for 
servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz 
mgr: {2}.
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet:service() uri = 
//ca/eeca/ca/profileSubmitSSLClient
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param 
name='cert_request_type' value='pkcs10'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param 
name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm

*************************

 KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
 /Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
 -----END NEW CERTIFICATE REQUEST-----'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param name='xml' 
value='true'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet::service() param 
name='profileId' value='caIPAserviceCert'
[16/Oct/2014:10:15:02][TP-Processor3]: CMSServlet: caProfileSubmitSSLClient 
start to service.
[16/Oct/2014:10:15:02][TP-Processor3]: xmlOutput true
[16/Oct/2014:10:15:02][TP-Processor3]: Start of ProfileSubmitServlet Input 
Parameters
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter 
cert_request_type='pkcs10'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter 
cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm

*************************

 KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
 /Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
 -----END NEW CERTIFICATE REQUEST-----'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter 
xml='true'
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet Input Parameter 
profileId='caIPAserviceCert'
[16/Oct/2014:10:15:02][TP-Processor3]: End of ProfileSubmitServlet Input 
Parameters
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: start serving
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: SubId=profile
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: isRenewal false
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: profileId 
caIPAserviceCert
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: authenticator 
raCertAuth found
[16/Oct/2014:10:15:02][TP-Processor3]: 
ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmistServlet: set Inputs into 
profile Context
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: set 
sslClientCertProvider
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthentication: start
[16/Oct/2014:10:15:02][TP-Processor3]: authenticator instance name is raCertAuth
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got provider
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: retrieving 
client certificate
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthenticator: got certificates
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: check if ipara is  in group Registration 
Manager Agents
[16/Oct/2014:10:15:02][TP-Processor3]: UGSubsystem.isMemberOf() using new 
lookup code
[16/Oct/2014:10:15:02][TP-Processor3]: In LdapBoundConnFactory::getConn()
[16/Oct/2014:10:15:02][TP-Processor3]: masterConn is connected: true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: conn is connected true
[16/Oct/2014:10:15:02][TP-Processor3]: getConn: mNumConns now 2
[16/Oct/2014:10:15:02][TP-Processor3]: authorization search base: 
cn=Registration Manager Agents,ou=groups,o=ipaca
[16/Oct/2014:10:15:02][TP-Processor3]: authorization search filter: 
(uniquemember=uid=ipara,ou=people,o=ipaca)
[16/Oct/2014:10:15:02][TP-Processor3]: authorization result: true
[16/Oct/2014:10:15:02][TP-Processor3]: returnConn: mNumConns now 3
[16/Oct/2014:10:15:02][TP-Processor3]: AgentCertAuthentication: authenticated 
uid=ipara,ou=people,o=ipaca
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet authToken not null
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: authz using acl: 
[16/Oct/2014:10:15:02][TP-Processor3]: Start parsePKCS10(): -----BEGIN NEW 
CERTIFICATE REQUEST-----
 MIIDojCCAooCAQAwSTEfMB0GA1UEChMWV1c4LldXLlVOSS1FUkxBTkdFTi5ERTEm

*************************

 KUcSD/bprTEoF8xn/sX9SpUhxd9yEAYANxFTo610rSd/eeWDXXItFbnbWvkbUqLQ
 /Tfh+zAN4gEEDVHWa1avLr5bckXYIA==
 -----END NEW CERTIFICATE REQUEST-----
[16/Oct/2014:10:15:02][TP-Processor3]: EnrollProfile: parsePKCS10: signature 
verification enabled
[16/Oct/2014:10:15:02][TP-Processor3]: EnrollProfile: parsePKCS10 
org.mozilla.jss.NoSuchTokenException
[16/Oct/2014:10:15:02][TP-Processor3]: EnrollProfile: parsePKCS10 restoring 
thread token
Invalid Request
        at 
com.netscape.cms.profile.common.EnrollProfile.parsePKCS10(EnrollProfile.java:953)
        at 
com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:102)
        at 
com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:1001)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at 
com.netscape.cms.servlet.filter.EEClientAuthRequestFilter.doFilter(EEClientAuthRequestFilter.java:123)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
        at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
        at 
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
        at java.lang.Thread.run(Thread.java:701)
[16/Oct/2014:10:15:02][TP-Processor3]: ProfileSubmitServlet: createRequests 
Invalid Request
[16/Oct/2014:10:15:03][TP-Processor3]: CMSServlet: curDate=Thu Oct 16 10:15:03 
CEST 2014 id=caProfileSubmitSSLClient time=124
[16/Oct/2014:10:16:43][Timer-0]: CMSEngine: getPasswordStore(): password store 
initialized before.
[16/Oct/2014:10:16:43][Timer-0]: CMSEngine: getPasswordStore(): password store 
initialized.
[16/Oct/2014:10:16:43][Timer-0]: SecurityDomainSessionTable: getSessionIds():  
no sessions have been created

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project