[Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Chris Tobey
tobeychris at hotmail.com
Thu Jun 4 19:29:00 UTC 2015
Hi Rob,
Sorry, my original message had the information:
FreeIPA server running on CentOS 6.6 server.
(ipa-server-3.0.0-42.el6.centos.x86_64 and
ipa-client-3.0.0-42.el6.centos.x86_64)
Once again your advice is perfect. I did the "ipactl restart" and now
everything in the web page appears to be working without error.
I will let you know if I see anything else, but it looks like this is
solved.
Thank you for all your help.
-Chris Tobey
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: June-04-15 3:20 PM
To: Chris Tobey; 'Martin Kosek'; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)
Chris Tobey wrote:
> Hi Rob,
>
> Thanks for taking the time to look at this.
>
> I have services in /etc/init.d/ named tomcat6 and pki-cad.
>
> I tried the following:
> -
> [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status
> tomcat6 is stopped [ OK ]
> [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start
> Starting tomcat6: [ OK ]
> [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status
> tomcat6 (pid 10853) is running... [ OK ]
> [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status
> pki-ca (pid 1793) is running... [ OK ]
> Unsecure Port = http://chimera.server.com:9180/ca/ee/ca
> Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca
> Secure EE Port = https://chimera.server.com:9444/ca/ee/ca
> Secure Admin Port = https://chimera.server.com:9445/ca/services
> EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca
> PKI Console Port = pkiconsole
https://chimera.server.com:9445/ca
> Tomcat Port = 9701 (for shutdown)
>
> PKI Instance Name: pki-ca
>
> PKI Subsystem Type: Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
>
> ==========================================================================
> Name: IPA
> URL: https://chimera.server.com:443
>
> ======================================================================
> ====
Ok, you didn't specify a version so I took a stab in the dark on the service
name. So I gather you're running 3.0.0?
You'll need to dive into the catalina.log and debug logs in /var/log/pki-ca.
This means that tomcat started but the webapp didn't.
This is usually the audit subsystem kicking in but recently someone else had
this issue and a simple ipactl restart fixed it for him.
rob
> -
>
> After this I am able to create new hosts on my Foreman server!
>
> There are now a few questions:
> 1. I am not sure why the tomcat6 service was stopped, if it is
> required to be running.
> 2. I am not sure why a reboot of the server did not auto-start tomcat6.
> 3. When navigating the web GUI for FreeIPA and clicking on a host, I
> still see the popup message in the subject of this thread.
>
> I have not yet tried rebooting the FreeIPA (chimera) and
> Puppet/Foreman
> (puppetmaster) servers yet. When I have some downtime I will try that
> and see what happens in regards to questions 2 and 3.
>
> Thanks,
> -Chris Tobey
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: June-04-15 10:35 AM
> To: Chris Tobey; 'Martin Kosek'; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation
> cannot be
> completed: Unable to communicate with CMS (Not Found)
>
> Apache proxies to dogtag, so a Not Found means that dogtag either
> isn't running or its webapp wasn't loaded.
>
> I'd start by restarting pki-tomcatd at pki-tomcat.service and see if that
> helps.
>
> Otherwise you'll need to poke around in the debug long in
> /var/lib/pki-ca/<something>
>
> rob
>
More information about the Freeipa-users
mailing list