<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Oops, the slapd messages are arriving every 60s, not 5m.<br>
</p>
<br>
<div class="moz-cite-prefix">On 05/18/2017 08:56 AM, Bret Wortman
wrote:<br>
</div>
<blockquote
cite="mid:1326f0de-44ce-7728-b20c-2567997c8b04@damascusgrp.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p>httpd_error seems to give the most information. When i try to
use ipa cert-show:</p>
<p><font face="Courier New, Courier, monospace">ipa: INFO:
[jsonserver_kerb] <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a>:
ping(): SUCCESS<br>
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8009 (localhost) failed<br>
AH00959: ap_proxy_connect_backend disabling worker for
(locahost) for 60s<br>
[client 192.168.208.54:52714] AH00896: failed to make
connection to backend: localhost<br>
ipa: ERROR: ra.get_certificate(): Unable to communicate with
CMS (503)<br>
ipa: INFO: [jsonserver_kerb] <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a>:
cert_show/1(u'895', version=u'2.213'):
CertificateOperationError</font></p>
<p>/var/log/pki/pki-tomcat/ca/debug just loops through the same
set of messages every 5 minutes or so but doesn't seem to error.</p>
<p>/var/log/pki/localhost_access_log.2017-05-18.txt is basically
empty except for a single entry (for a POST to
/ca/admin/ca/getStatus)<br>
</p>
Nothing shows up in dirsrv/slapd-DAMASCUSGRP-COM/errors or access
when I issue the request, but periodic messages do appear about
every 5 minutes or so.<br>
<br>
<br>
<div class="moz-cite-prefix">On 05/18/2017 08:43 AM, Bret Wortman
wrote:<br>
</div>
<blockquote
cite="mid:61cd147a-4421-087e-a3b7-5c08aa6908ee@damascusgrp.com"
type="cite">On 04/26/2017 06:02 PM, Rob Crittenden wrote: <br>
<blockquote type="cite">Bret Wortman wrote: <br>
<blockquote type="cite">So I can see my certs using cert-find,
but can't get details using <br>
cert-show or add new ones using cert-request. <br>
<br>
# ipa cert-find <br>
: <br>
------------------------------ <br>
Number of entries returned 385 <br>
------------------------------ <br>
# ipa cert-show 895 <br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to <br>
communicate with CMS (503) <br>
# ipa cert-show 1 (which does not exist) <br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to <br>
communicate with CMS (503) <br>
# ipa cert-status 895 <br>
ipa: ERROR: Certificate operation cannot be completed:
Unable to <br>
communicate with CMS (503) <br>
# <br>
<br>
Is this an IPV6 thing? Because ipactl shows everything green
and <br>
certmonger is running. <br>
</blockquote>
Doubtful. <br>
<br>
cert-find and cert-show use different APIs in dogtag.
cert-find uses the <br>
newer RESTful API and cert-show uses the older XML-based API
(and is <br>
authenticated). I'm guessing that is where the issue lies. <br>
<br>
What I'd recommend doing is noting the time, restarting the
CA, and then <br>
plow through the debug log looking for failures. It could be
that the CA <br>
is only partially up (and I'd check your CA subsystem certs as
well). <br>
</blockquote>
Which debug log, specifically, do you think will help? I'm also
not sure what you mean by, "check your CA subsystem certs." We
still have pending CSRs that we can't grant until I get this
working again. <br>
<blockquote type="cite">rob <br>
<br>
<blockquote type="cite">Bret <br>
<br>
<br>
On 04/26/2017 09:03 AM, Bret Wortman wrote: <br>
<blockquote type="cite">Digging still deeper: <br>
<br>
# ipa cert-request f.f
--principal=HTTP/`hostname`@DAMASCUSGRP.COM <br>
ipa: ERROR: Certificate operation cannot be
completed: Unable to <br>
communicate with CMS (503) <br>
<br>
Looks like this is an HTTP error; so is it possible that
my IPA thinks <br>
it has a CA but there's no CMS available? <br>
<br>
<br>
On 04/26/2017 08:41 AM, Bret Wortman wrote: <br>
<blockquote type="cite">Using the firefox debugger, I get
these errors when trying to pop up <br>
the New Certificate dialog: <br>
<br>
Empty string passed to
getElementById(). (5) <br>
jquery.js:4:1060 <br>
TypeError: u is undefined <br>
app.js:1:362059 <br>
Empty string passed to
getElementById(). (5) <br>
jquery.js:4:1060 <br>
TypeError: t is undefined <br>
app.js:1:217432 <br>
<br>
I'm definitely not a web kind of guy so I'm not sure if
this is <br>
helpful or not. This is on 4.4.0, API Version 2.213. <br>
<br>
<br>
Bret <br>
<br>
<br>
On 04/26/2017 08:35 AM, Bret Wortman wrote: <br>
<blockquote type="cite">Good news. One of my servers
_does_ have CA installed. So why does <br>
"Action -> New Certificate" not do anything on this
or any other server? <br>
<br>
<br>
Bret <br>
<br>
<br>
On 04/25/2017 02:52 PM, Bret Wortman wrote: <br>
<blockquote type="cite">I recently had to upgrade all
my Fedora IPA servers to C7. It went <br>
well, and we've been up and running nicely on 4.4.0
on C7 for the <br>
past month or so. <br>
<br>
Today, someone came and asked me to generate a new
certificate for <br>
their web server. All was good until I went to the
IPA UI and tried <br>
to perform Actions->New Certificate, which did
nothing. I tried <br>
each of our 3 servers in turn. All came back with no
popup window <br>
and no error, either. <br>
<br>
I suspect the problem might be that we no longer
have a CA server <br>
due to the method I used to upgrade the servers. I
likely missed a <br>
"--setup-ca" in there somewhere, so my rolling
update rolled over <br>
the CA. <br>
<br>
What's my best hope of recovery? I never ran this
before, so I'm <br>
not sure if this shows that I'm missing a CA or not:
<br>
<br>
# ipa ca-find <br>
------------ <br>
1 CA matched <br>
------------ <br>
Name: ipa <br>
Description IPA CA <br>
Authority ID: 3ce3346[...] <br>
Subject DN: CN=Certificate Authority,
O=DAMASCUSGRP.COM <br>
Issuer DN: CN=Certificate
Authority,O=DAMASCUSGRP.COM <br>
---------------------------- <br>
Number of entries returned 1 <br>
---------------------------- <br>
# ipa ca-add dg --desc "Damascus Group"
--subject "CN=DG CA, <br>
O=DAMASCUSGRP.COM" <br>
ipa: ERROR: Failed to authenticate to CA REST
API <br>
# klist <br>
Ticket cache: KEYRING:persistent:0:0 <br>
Default principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a>
<br>
<br>
Valid starting Expires
Service principal <br>
04/25/2017 18:48:26 04/26/2017 18:48:21 <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM">krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM</a>
<br>
# <br>
<br>
<br>
What's my best path of recovery? <br>
<br>
-- <br>
*Bret Wortman* <br>
The Damascus Group <br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>