[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Rob Crittenden
rcritten at redhat.com
Mon May 18 18:00:19 UTC 2015
Sina Owolabi wrote:
> Hi Rob
>
> There are some logs in /var/log/pki-ca/catalina.out that appear to
> indicate a problem:
[SNIP]
These are mostly white noise from tomcat and can be ignored.
>
>
> Also running "getcert list" tells me there are two expired certs:
>
> Request ID '20130524104636':
> status: CA_UNREACHABLE
> ca-error: Server at https://dc.ourdom.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server. cannot connect to
> 'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
> -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> certificate as expired.).
> stuck: no
>
>
> Request ID '20130524104828':
> status: CA_UNREACHABLE
> ca-error: Server at https://dc.ourdom.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server. cannot connect to
> 'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
> -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> certificate as expired.).
> stuck: no
>
> I'd be grateful to know what to do.
Your CA subsystem certificates are expired so while the process is up
the CA won't serve requests. See
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
rob
More information about the Freeipa-users
mailing list