[Freeipa-users] certificate renewal stuck

Rob Crittenden rcritten at redhat.com
Sat Aug 29 18:08:20 UTC 2015 

Mike LoSapio wrote:
> I suspect that was the issue -
>
> Of course moved on to something else (hostname removed)
>
> Request ID '20140520151448':
> 	status: CA_UNREACHABLE
> 	ca-error: Server at https://ldapserver/ipa/xml failed request, will
> retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: Unable to communicate with CMS (Not Found)).

The Not Found comes from the Apache proxy forwarding to the CA. This 
usually means that while tomcat is up the CA webapp is not running. This 
is usually caused by the audit subsystem killing it for having expired 
certs, bad trust, etc. The CA debug log may hold more details.

The usual fix is to go back in time when the certs are still valid and 
get certmonger to do the renewal for you.

rob


> I assuming this new error is a result of my failed attempt at updating the
> certificatesŠ.
>
> Any idea if I was heading down the correct path? - I would have assumed
> these certs would have renewed themselves since I¹m +3.0.
>
>
> I see the Configure renewal section but its an odd situation where we have
> to renew and reconfigureŠ
>
> ‹Mike
>
>
> On 8/28/15, 7:45 PM, "Rob Crittenden" <rcritten at redhat.com> wrote:
>
>> Mike LoSapio wrote:
>>> Hey there -
>>>
>>> I¹m working a FreeIPA box (ipa-server-3.0.0-42) - Our original PKI
>>> ³master² was nuked a while ago and I have a suspicion that none of the
>>> other ³master² freeipa replicas were ³promoted² (sorry for the over-use
>>> of ³ )
>>>
>>>
>>> So we went ahead and ran through these instructions and are currently in
>>> a weird state:
>>>
>>> krb5 won¹t start and the getcert list command is returning
>>> CA_UNREACHABLE
>>>
>>> krb5kdc: Server error - while fetching master key K/M for realm
>>
>> See if the LDAP server is running.
>>
>>> status: CA_UNREACHABLE
>>> ca-error: Error setting up ccache for "host" service on client using
>>> default keytab: Cannot contact any KDC for realm
>>
>> This makes sense since the KDC isn't running.
>>
>>> So I don¹t think I can promote another master/replica ?
>>
>> There really is no promotion, all IPA servers are masters. The only
>> difference is what extra services (CA, DNS) may be running and who
>> controls renewal and CRL generation. See
>>
>> rob

More information about the Freeipa-users mailing list