[Freeipa-users] TLS error on master server / CA issue?

Rob Crittenden rcritten at redhat.com
Fri Feb 28 19:05:56 UTC 2014 

KodaK wrote:
>
>
>
> On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     KodaK wrote:
>
>         Hey everyone,
>
>         A couple of days ago I started getting the following message:
>
>         [jebalicki at slpidml01 ~]$ ipa cert-show 1
>         ipa: INFO: trying https://slpidml01.unix.xxx.__com/ipa/xml
>         <https://slpidml01.unix.xxx.com/ipa/xml>
>         ipa: INFO: Forwarding 'cert_show' to server
>         u'https://slpidml01.unix.xxx.__com/ipa/xml
>         <https://slpidml01.unix.xxx.com/ipa/xml>'
>         ipa: ERROR: Certificate operation cannot be completed: Unable to
>         communicate with CMS (Not Found)
>
>         I get a similar error in the GUI when looking at hosts.
>
>         slpidml01 is my "master" -- the one I initially built.  The other
>         replicas also replicated the CA.
>
>         After some digging (and prompting from Red Hat support) I've
>         found the
>         following:
>
>         [root at slpidml01 ~]# ldapsearch -ZZ -H
>         ldap://slpidml01.unix.xxx.com <http://slpidml01.unix.xxx.com>
>         <http://slpidml01.unix.xxx.com__> -D "cn=Directory Manager" -W -b
>
>         "dc=unix,dc=xxx,dc=com" -x
>         ldap_start_tls: Connect error (-11)
>                   additional info: TLS error -8172:Peer's certificate
>         issuer has
>         been marked as not trusted by the user.
>
>         But, interestingly, from another replica:
>
>         [jebalicki at slpidml02 ~]$ ldapsearch -ZZ -H
>         ldap://slpidml01.unix.xxx.com <http://slpidml01.unix.xxx.com>
>         <http://slpidml01.unix.xxx.com__> -D "cn=Directory Manager" -W -b
>
>         "dc=unix,dc=xxx,dc=com" -x
>         Enter LDAP Password:
>         # extended LDIF
>         #
>         # LDAPv3
>         # base <dc=unix,dc=xxx,dc=com> with scope subtree
>         # filter: (objectclass=*)
>         # requesting: ALL
>         ...
>
>         So, obviously some certificate got hosed up somewhere.  I've been
>         digging but I haven't found it yet.
>
>         Anyone have any ideas?
>
>         I have a ticket open with RH support, but I think I somehow got
>         put with
>         someone with a completely different sleep schedule -- I get
>         replies at 3
>         in the morning.  So, I'm asking here because I'm impatient. :)
>
>
>     Check certificate expiration. Run getcert list to see what the
>     status is.
>
>     rob
>
>
> None are expired, but there are some coming up soon:
>
> [root at slpidml01 ~]# getcert list | grep expires
>          expires: 2014-03-29 19:03:31 UTC
>          expires: 2014-03-29 19:04:04 UTC
>          expires: 2014-03-29 19:04:30 UTC
>          expires: 2016-02-09 06:26:34 UTC
>          expires: 2016-02-09 06:25:34 UTC
>          expires: 2016-02-09 06:25:34 UTC
>          expires: 2016-02-09 06:25:34 UTC
>          expires: 2016-02-09 06:25:34 UTC

Ok. CA requests are proxied through Apache so a Not Found means that the 
CA isn't running. Check the trust on the audit cert:

# certutil -L -d /var/lib/pki-ca/alias

The trust for the audit signing cert should be u,u,Pu

If it doesn't have it, fix it with:

# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' 
-t u,u,Pu

Then restart the CA (or all of IPA if you wish).

For the LDAP searches you may want to try the commands again, preceding 
them with LDAPTLS_CACERT=/etc/ipa/ca.crt
rob

More information about the Freeipa-users mailing list