[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Rob Crittenden
rcritten at redhat.com
Tue May 19 15:25:18 UTC 2015
Sina Owolabi wrote:
> Hi Rob
>
> Ive been to the URL but its a little difficult applying these commands
> to RHEL6 systems.
> For instance there is no /etc/pki-tomcat directory in RHEL6, and I
> cannot find the ipa.crt
>
> Im sure as a noob I am overlooking some very obvious stuff, but could
> you please guide me on what to do?
Sorry, I think I pointed you at the wrong page. Check out
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
Your CA subsystem are expired, or nearly expired. They are valid for two
years. Based on the request ID in the snippet you posted at least some
are valid for another few days.
What I'd suggest is to send the machine back in time and restart the
services. This should bring things up so that certmonger can do the renewal:
# ipactl stop
# /sbin/service ntpd stop
# date 0501hhm where hhmm are the current hour and minute
# ipactl start
Hopefully ntpd isn't started by ipactl. If it is then it will undo your
going back in time, and you'll need to start the services manually:
# service dirsrv at YOURREALM start
# service krb5kdc
# service httpd start
# service pki-tomcatd start
Restart certmonger
# service certmonger restart
Wait a bit
# getcert list
Watch the status. They should go to MODIFIED
Once done:
# ipactl stop
Return date to present, either by restarting ntpd or date or whatever
method you'd like.
I'm taking a completely wild guess on the date to go back to. The
expiration date is listed in the getcert output. I'd go back a week
before the oldest expiration.
rob
More information about the Freeipa-users
mailing list