I am totally new to PKI but was tasked with getting Dogtag working with SCEP for Cisco routers. This issue was seen on a Fedora 20 "Minimal" installation (yum upgrade done on 2014-01-16) with only 389-ds and Dogtag 10 with their dependencies installed via yum. The CA was installed using pkispawn.
pkicreate was used for the RA but I then ran into issues from the Wizard with the error !Security Domain HTTPS Admin URL not found!
1 2 3 4 5 6 7 8 9 10 11 12 13
```#!python pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ra \ -subsystem_type=ra \ -secure_port=12889 \ -non_clientauth_secure_port=12890 \ -unsecure_port=12888 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-ra \ -redirect logs=/var/log/pki-ra \ -verbose ```
The RA wizard would always give the error even when putting in the correct URL for the CA. I found a resolved ticket that referenced the same general behavior [ticket:797], but didn't find any solution from it.
Working with some people on IRC, we were eventually able to find PR_Connect errors in the /var/log/pki-ra/error_log that pointed to an issue with SELinux:
[Thu Jan 16 17:04:07.347614 2014] [authz_core:debug] [pid 2970:tid 2948545344] mod_authz_core.c(802): [client 192.168.40.172:58609] AH01626: authorization result of <RequireAny>: granted, referer: https://CAhost:12890/ra/admin/console/config/wizard GET /ca/admin/ca/getStatus HTTP/1.0 port: 8443 addr='CAhost' family='2' IP='172.21.1.210' exit after PR_Connect with error -5966: GET /ca/admin/ca/getStatus HTTP/1.0 port: 9445 addr='CAhost' family='2' IP='172.21.1.210' exit after PR_Connect with error -5961:
The workaround was to just do setenforce 0 and restart the CA and RA services before running the wizard again.
Metadata Update from @unixgal: - Issue set to the milestone: N/A
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1396
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.