[Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Rob Crittenden
rcritten at redhat.com
Thu Jun 4 14:35:01 UTC 2015
Chris Tobey wrote:
> Hi Martin,
>
> Thank you for the response. Here is what I can see on my FreeIPA server (I
> replaced my server name with server.com):
>
> [Wed Jun 03 10:05:36:..//var/lib/pki-ca]$ ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to communicate
> with CMS (Not Found)
> [Wed Jun 03 10:05:47:..//var/lib/pki-ca]$ getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20150407214802':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='303912620731'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=SERVER.COM
> subject: CN=CA Audit,O=SERVER.COM
> expires: 2017-03-27 21:47:14 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
Apache proxies to dogtag, so a Not Found means that dogtag either isn't
running or its webapp wasn't loaded.
I'd start by restarting pki-tomcatd at pki-tomcat.service and see if that
helps.
Otherwise you'll need to poke around in the debug long in
/var/lib/pki-ca/<something>
rob
More information about the Freeipa-users
mailing list