[Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails

jay titleistfour at gmail.com
Mon Dec 12 21:32:02 UTC 2016 

Hello,

I have been testing freeipa on CentOS 7 for a while now with a relatively
simple setup, just a single server and 12 or so Linux clients in AWS.  I
went to rebuild the environment today and part of my Ansible playbook
failed with this error

ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)

This is the command that failed

/usr/bin/ipa cert-show 1 --out=/root/cacert.crt

I noticed the version I was using on Friday was
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64.  But now I'm getting
ipa-server-4.4.0-14.el7.centos.x86_64 installed, so the repo was updated
over the weekend.

Is there a known issue running cert-show with this version?  I can't find
anything in the debug logs that point to something wrong.  Running 'ipa
cert-find' and 'getcert list -d /etc/httpd/alias -n ipaCert' work just fine.

Can someone offer some advice or pointer to what might be going on?  I'm
invoking the install with these options and it has worked flawlessly before
this new version

2016-12-12T21:05:21Z DEBUG ipa-server-install was invoked with arguments []
and options: {'no_dns_
sshfp': None, 'ignore_topology_disconnect': None, 'verbose': False,
'ip_addresses': [CheckedIPAddr
ess('172.31.0.235')], 'domainlevel': None, 'mkhomedir': None,
'http_cert_files': None, 'no_ntp': N
one, 'reverse_zones': None, 'no_forwarders': None, 'external_ca_type':
None, 'ssh_trust_dns': True
, 'domain_name': 'ipa.us-west-2.compute.internal', 'idmax': None,
'http_cert_name': None, 'dirsrv_
cert_files': None, 'no_dnssec_validation': None, 'ca_signing_algorithm':
None, 'no_reverse': None,
 'subject': None, 'unattended': True, 'auto_reverse': None,
'auto_forwarders': None, 'no_host_dns'
: None, 'no_sshd': None, 'no_ui_redirect': None, 'ignore_last_of_role':
None, 'realm_name': 'IPA.U
S-WEST-2.COMPUTE.INTERNAL', 'forwarders': [CheckedIPAddress('172.31.0.2')],
'idstart': 5000, 'exte
rnal_ca': None, 'no_ssh': None, 'external_cert_files': None,
'no_hbac_allow': None, 'forward_polic
y': None, 'dirsrv_cert_name': None, 'ca_cert_files': None, 'zonemgr': None,
'quiet': False, 'setup
_dns': True, 'host_name': 'ip-172-31-0-235.us-west-2.compute.internal',
'dirsrv_config_file': None
, 'log_file': None, 'allow_zone_overlap': None, 'uninstall': False}
2016-12-12T21:05:21Z DEBUG IPA version 4.4.0-14.el7.centos

Thank you
Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161212/736e4111/attachment.htm>

More information about the Freeipa-users mailing list