[Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Martin Kosek
mkosek at redhat.com
Wed Jun 3 07:43:31 UTC 2015
On 06/02/2015 10:10 PM, Chris Tobey wrote:
> Hi everyone,
>
>
>
> This is my first time posting here - please be gentle.
Ok :-)
> I currently have ~40 CentOS 6.6 servers authenticating against my FreeIPA
> server running on another CentOS 6.6 server.
> (ipa-server-3.0.0-42.el6.centos.x86_64 and
> ipa-client-3.0.0-42.el6.centos.x86_64) The server has been running stable
> for the last ~4 months without issue, slowly building up from five servers
> to the current forty. This server is paired with a puppet/foreman server to
> manage the servers themselves.
>
>
>
> I am having an issue with my FreeIPA server and I cannot figure out what is
> going wrong. As of right now all 40 servers can still authenticate without
> issue, so that is good.
>
>
>
> My issue is similar to what I saw here:
> https://www.redhat.com/archives/freeipa-users/2011-November/msg00125.html
> where I receive a pop-up error "IPA Error 4301: Certificate operation cannot
> be completed: Unable to communicate with CMS (Not Found)". The issue
> described at the above link is fairly old, and I checked my .jar symlinks
> and they appear to all be ok. The pop-up appears when I go to Identity >
> Hosts > and click on a host. The host information appears to all be correct,
> and if I make changes the error appears again, but the changes seem to take
> effect (tested changing a host description).
>
>
>
> The failures prevent me from adding new hosts in Foreman. When I try to add
> a new host is says "Unable to save - Failed to create testvm.server.com's
> realm entry: ERF12-5287 [ProxyAPI::ProxyException]: Unable to create realm
> entry ([RestClient::BadRequest]: 400 Bad Request) for proxy
> https://puppetmaster.server.com:8443/realm/SERVER.COM."
>
>
>
> Does anyone have any ideas on what I can do to fix this? I can post any logs
> that I have, but I do not know which are relevant to this issue.
Could this be the dreaded expiration of the FreeIPA CA subsystem certificates?
I would suggest logging to FreeIPA CA servers and running
# getcert list
and giving us the output.
https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates
Thanks,
Martin
More information about the Freeipa-users
mailing list