[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Sina Owolabi
notify.sina at gmail.com
Wed May 20 13:42:44 UTC 2015
Hi Rob
This is the only CA master. The one I cloned it from was decommissioned,
reinstalled and then made to be a replica of this server.
Looks like I'm really stuck. How do I export the data out so I can
reinstall from scratch, if possible? There are a lot of rules and
configuration data I'd really like to keep.
On Wed, May 20, 2015, 2:32 PM Rob Crittenden <rcritten at redhat.com> wrote:
> Sina Owolabi wrote:
> > Another key difference I noticed is that the problematic certs have
> > CA:IPA in them, while the working certs have CA:
> > dogtag-ipa-retrieve-agent-submit.
>
> Ok, the full output is really helpful.
>
> First an explanation of CA subsystem renewal.
>
> CA clones are just that, exact clones of each other, which means they
> use the same subsystem certificates for OCSP, audit, etc. This also
> means that at renewal time they need to be renewed on only one master
> and then somehow shared with the ohter clones.
>
> The initially-installed CA is designated as the renewal master by
> default. It configures certmonger to renew the CA subsytem certificates
> and put the new public cert into a shared area in IPA that will be
> replicated to the other masters.
>
> The non-renewal masters are configured with a special CA,
> dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
> updated certificate and when available, it installs it.
>
> So the issue is that it isn't seeing this updated certificate, hence
> CA_WORKING.
>
> The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
> that IPA uses to talk to the CA expired on 04/29.
>
> So the steps you need to take are:
>
> 1. Check your other CA masters and see if they have been renewed
> properly (getcert list will tell you, look for expiration in 2017).
> 2. If they have, see if the data was pushed to LDAP
>
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
>
> See if there are certificate entries there. Check on multiple masters to
> see if there is a replication issue.
>
> If the certs are there you can try restarting certmonger to kickstart
> the request.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150520/fab28b28/attachment.htm>
More information about the Freeipa-users
mailing list