[Freeipa-users] TLS error on master server / CA issue?
Rob Crittenden
rcritten at redhat.com
Fri Feb 28 17:14:25 UTC 2014
KodaK wrote:
> Hey everyone,
>
> A couple of days ago I started getting the following message:
>
> [jebalicki at slpidml01 ~]$ ipa cert-show 1
> ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml
> ipa: INFO: Forwarding 'cert_show' to server
> u'https://slpidml01.unix.xxx.com/ipa/xml'
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> I get a similar error in the GUI when looking at hosts.
>
> slpidml01 is my "master" -- the one I initially built. The other
> replicas also replicated the CA.
>
> After some digging (and prompting from Red Hat support) I've found the
> following:
>
> [root at slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com
> <http://slpidml01.unix.xxx.com> -D "cn=Directory Manager" -W -b
> "dc=unix,dc=xxx,dc=com" -x
> ldap_start_tls: Connect error (-11)
> additional info: TLS error -8172:Peer's certificate issuer has
> been marked as not trusted by the user.
>
> But, interestingly, from another replica:
>
> [jebalicki at slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com
> <http://slpidml01.unix.xxx.com> -D "cn=Directory Manager" -W -b
> "dc=unix,dc=xxx,dc=com" -x
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=unix,dc=xxx,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> ...
>
> So, obviously some certificate got hosed up somewhere. I've been
> digging but I haven't found it yet.
>
> Anyone have any ideas?
>
> I have a ticket open with RH support, but I think I somehow got put with
> someone with a completely different sleep schedule -- I get replies at 3
> in the morning. So, I'm asking here because I'm impatient. :)
Check certificate expiration. Run getcert list to see what the status is.
rob
More information about the Freeipa-users
mailing list