[Freeipa-users] IPA Error 4301: CertificateOperationError
Rob Crittenden
rcritten at redhat.com
Tue Aug 23 14:21:47 UTC 2016
Fraser Tweedale wrote:
> On Mon, Aug 22, 2016 at 11:52:46PM +0000, Z D wrote:
>> Hello,
>>
>> There is the error on ver 4.2 while viewing certs: "IPA Error
>> 4301: CertificateOperationError", next it read " Certificate
>> operation cannot be completed: Unable to communicate with CMS
>> ([Errno 113] No route to host)".
>>
>> I suspect you'll be asking for below two commands, here are results.
>>
>> # ipa cert-show 1
>> Certificate: MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1VUy5P
>> ..shortened ...
>> H6S7tS4pT9w77K8=
>> Subject: CN=Certificate Authority,O=COMP.COM
>> Issuer: CN=Certificate Authority,O=COMP.COM
>> Not Before: Wed Aug 17 17:20:41 2016 UTC
>> Not After: Sun Aug 17 17:20:41 2036 UTC
>> Fingerprint (MD5): 00:a5:2c:2d:ea:c8:27:33:62:35:75:53:12:6a:0d:c1
>> Fingerprint (SHA1): d1:58:78:83:31:b8:ad:ae:af:2c:e7:05:44:67:6e:3a:37:8c:00:1a
>> Serial number (hex): 0x1
>> Serial number: 1
>>
>> # ipactl restart
>> Restarting Directory Service
>> Restarting krb5kdc Service
>> Restarting kadmin Service
>> Restarting named Service
>> Restarting ipa_memcached Service
>> Restarting httpd Service
>> Restarting ipa-otpd Service
>> Restarting ipa-dnskeysyncd Service
>> ipa: INFO: The ipactl command was successful
>>
>> Any help is appreciated, thanks
>> Zarko
>>
>
> "while viewing certs" -> do you mean in the IPA Web UI?
>
> The successful `cert-show' command indicates that the CA is up and
> running, but the error message indicates that the host running the
> failing action cannot contact the CA. You should check DNS and
> firewall settings as a first step.
If a request for a certificate operation comes into an IPA master that
isn't running a CA the request is sent to one that does. It sure seems
like that is happening in this case and the chosen CA isn't available.
rob
More information about the Freeipa-users
mailing list