<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>The closest I found was this:</p>
<p><font face="Courier New, Courier, monospace">[02/May/2017:14:33:57][localhost-startStop-1]:
No rule can be found for publishing: cacert<br>
[02/May/2017:14:33:37][localhost-startStop-1]: published ca cert<br>
[02/May/2017:14:33:37][localhost-startStop-1]: CMSEngine: ca
startup done<br>
</font><br>
</p>
<br>
<div class="moz-cite-prefix">On 05/02/2017 10:50 AM, Bret Wortman
wrote:<br>
</div>
<blockquote
cite="mid:aac542ee-1e7d-15ff-d9ec-ef50ac672d1c@damascusgrp.com"
type="cite">I plowed through /var/log/pki/pki-tomcat/ca/debug, but
nothing jumps out as looking like an error.
<br>
<br>
The cert-show failure is troubling, but my inability to get CSRs
turned into certs is what's actually driving this.
<br>
<br>
<br>
Bret
<br>
<br>
<br>
On 04/26/2017 06:02 PM, Rob Crittenden wrote:
<br>
<blockquote type="cite">Bret Wortman wrote:
<br>
<blockquote type="cite">So I can see my certs using cert-find,
but can't get details using
<br>
cert-show or add new ones using cert-request.
<br>
<br>
# ipa cert-find
<br>
:
<br>
------------------------------
<br>
Number of entries returned 385
<br>
------------------------------
<br>
# ipa cert-show 895
<br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to
<br>
communicate with CMS (503)
<br>
# ipa cert-show 1 (which does not exist)
<br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to
<br>
communicate with CMS (503)
<br>
# ipa cert-status 895
<br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to
<br>
communicate with CMS (503)
<br>
#
<br>
<br>
Is this an IPV6 thing? Because ipactl shows everything green
and
<br>
certmonger is running.
<br>
</blockquote>
Doubtful.
<br>
<br>
cert-find and cert-show use different APIs in dogtag. cert-find
uses the
<br>
newer RESTful API and cert-show uses the older XML-based API
(and is
<br>
authenticated). I'm guessing that is where the issue lies.
<br>
<br>
What I'd recommend doing is noting the time, restarting the CA,
and then
<br>
plow through the debug log looking for failures. It could be
that the CA
<br>
is only partially up (and I'd check your CA subsystem certs as
well).
<br>
<br>
rob
<br>
<br>
<blockquote type="cite">Bret
<br>
<br>
<br>
On 04/26/2017 09:03 AM, Bret Wortman wrote:
<br>
<blockquote type="cite">Digging still deeper:
<br>
<br>
# ipa cert-request f.f
--principal=HTTP/`hostname`@DAMASCUSGRP.COM
<br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to
<br>
communicate with CMS (503)
<br>
<br>
Looks like this is an HTTP error; so is it possible that my
IPA thinks
<br>
it has a CA but there's no CMS available?
<br>
<br>
<br>
On 04/26/2017 08:41 AM, Bret Wortman wrote:
<br>
<blockquote type="cite">Using the firefox debugger, I get
these errors when trying to pop up
<br>
the New Certificate dialog:
<br>
<br>
Empty string passed to getElementById().
(5)
<br>
jquery.js:4:1060
<br>
TypeError: u is undefined
<br>
app.js:1:362059
<br>
Empty string passed to getElementById().
(5)
<br>
jquery.js:4:1060
<br>
TypeError: t is undefined
<br>
app.js:1:217432
<br>
<br>
I'm definitely not a web kind of guy so I'm not sure if
this is
<br>
helpful or not. This is on 4.4.0, API Version 2.213.
<br>
<br>
<br>
Bret
<br>
<br>
<br>
On 04/26/2017 08:35 AM, Bret Wortman wrote:
<br>
<blockquote type="cite">Good news. One of my servers
_does_ have CA installed. So why does
<br>
"Action -> New Certificate" not do anything on this
or any other server?
<br>
<br>
<br>
Bret
<br>
<br>
<br>
On 04/25/2017 02:52 PM, Bret Wortman wrote:
<br>
<blockquote type="cite">I recently had to upgrade all my
Fedora IPA servers to C7. It went
<br>
well, and we've been up and running nicely on 4.4.0 on
C7 for the
<br>
past month or so.
<br>
<br>
Today, someone came and asked me to generate a new
certificate for
<br>
their web server. All was good until I went to the IPA
UI and tried
<br>
to perform Actions->New Certificate, which did
nothing. I tried
<br>
each of our 3 servers in turn. All came back with no
popup window
<br>
and no error, either.
<br>
<br>
I suspect the problem might be that we no longer have
a CA server
<br>
due to the method I used to upgrade the servers. I
likely missed a
<br>
"--setup-ca" in there somewhere, so my rolling update
rolled over
<br>
the CA.
<br>
<br>
What's my best hope of recovery? I never ran this
before, so I'm
<br>
not sure if this shows that I'm missing a CA or not:
<br>
<br>
# ipa ca-find
<br>
------------
<br>
1 CA matched
<br>
------------
<br>
Name: ipa
<br>
Description IPA CA
<br>
Authority ID: 3ce3346[...]
<br>
Subject DN: CN=Certificate Authority,
O=DAMASCUSGRP.COM
<br>
Issuer DN: CN=Certificate
Authority,O=DAMASCUSGRP.COM
<br>
----------------------------
<br>
Number of entries returned 1
<br>
----------------------------
<br>
# ipa ca-add dg --desc "Damascus Group" --subject
"CN=DG CA,
<br>
O=DAMASCUSGRP.COM"
<br>
ipa: ERROR: Failed to authenticate to CA REST API
<br>
# klist
<br>
Ticket cache: KEYRING:persistent:0:0
<br>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a>
<br>
<br>
Valid starting Expires Service
principal
<br>
04/25/2017 18:48:26 04/26/2017 18:48:21
<br>
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM">krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM</a>
<br>
#
<br>
<br>
<br>
What's my best path of recovery?
<br>
<br>
-- <br>
*Bret Wortman*
<br>
The Damascus Group
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>