[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Fri May 22 17:00:09 UTC 2015

Hi Rob

And thanks for the new instructions. However, right out of the gate:

$ ipa-csreplica-manage set-renewal-master
Usage: ipa-csreplica-manage [options]

ipa-csreplica-manage: error: must provide a command [force-sync |
disconnect | list | del | connect | re-initialize]

Are there any RHEL6 specific instructions I can follow to the promised land?

On Wed, May 20, 2015 at 8:30 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Sina Owolabi wrote:
>>
>> Hi Rob
>>
>> This is the only CA master. The one I cloned it from was
>> decommissioned,  reinstalled and then  made to be a replica of this
>> server.
>>
>> Looks like I'm really stuck.  How do I export the data out so I can
>> reinstall from scratch, if possible? There are a lot of rules and
>> configuration data I'd really like to keep.
>
>
> So in this case you have no master managing the renewal.
>
> Take a look at
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
> starting at the step "Reconfigure a CA as the new master"
>
> Since at least one certificate has expired you'll need to go back in time to
> get this working. Be sure to restart IPA after going back to ensure that the
> CA is up.
>
> You'll eventually want to do the CRL changes as well.
>
> rob
>
>>
>>
>> On Wed, May 20, 2015, 2:32 PM Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>     Sina Owolabi wrote:
>>      > Another key difference I noticed is that the problematic certs have
>>      > CA:IPA in them, while the working certs have CA:
>>      > dogtag-ipa-retrieve-agent-submit.
>>
>>     Ok, the full output is really helpful.
>>
>>     First an explanation of CA subsystem renewal.
>>
>>     CA clones are just that, exact clones of each other, which means they
>>     use the same subsystem certificates for OCSP, audit, etc. This also
>>     means that at renewal time they need to be renewed on only one master
>>     and then somehow shared with the ohter clones.
>>
>>     The initially-installed CA is designated as the renewal master by
>>     default. It configures certmonger to renew the CA subsytem
>> certificates
>>     and put the new public cert into a shared area in IPA that will be
>>     replicated to the other masters.
>>
>>     The non-renewal masters are configured with a special CA,
>>     dogtag-ipa-retrieve-agent-submit, that looks in this shared area for
>> an
>>     updated certificate and when available, it installs it.
>>
>>     So the issue is that it isn't seeing this updated certificate, hence
>>     CA_WORKING.
>>
>>     The CA_UNREACHABLE are due to the fact that the IPA RA agent
>> certificate
>>     that IPA uses to talk to the CA expired on 04/29.
>>
>>     So the steps you need to take are:
>>
>>     1. Check your other CA masters and see if they have been renewed
>>     properly (getcert list will tell you, look for expiration in 2017).
>>     2. If they have, see if the data was pushed to LDAP
>>
>>     $ kinit admin
>>     $ ldapsearch -Y GSSAPI -b
>> cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
>>
>>     See if there are certificate entries there. Check on multiple masters
>> to
>>     see if there is a replication issue.
>>
>>     If the certs are there you can try restarting certmonger to kickstart
>>     the request.
>>
>>     rob
>>
>