[Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails
Florence Blanc-Renaud
flo at redhat.com
Tue Dec 13 07:56:05 UTC 2016
On 12/12/2016 10:32 PM, jay wrote:
> Hello,
>
> I have been testing freeipa on CentOS 7 for a while now with a
> relatively simple setup, just a single server and 12 or so Linux clients
> in AWS. I went to rebuild the environment today and part of my Ansible
> playbook failed with this error
>
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (503)
>
> This is the command that failed
>
> /usr/bin/ipa cert-show 1 --out=/root/cacert.crt
>
> I noticed the version I was using on Friday was
> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64. But now I'm getting
> ipa-server-4.4.0-14.el7.centos.x86_64 installed, so the repo was updated
> over the weekend.
>
> Is there a known issue running cert-show with this version? I can't
> find anything in the debug logs that point to something wrong. Running
> 'ipa cert-find' and 'getcert list -d /etc/httpd/alias -n ipaCert' work
> just fine.
>
> Can someone offer some advice or pointer to what might be going on? I'm
> invoking the install with these options and it has worked flawlessly
> before this new version
>
> 2016-12-12T21:05:21Z DEBUG ipa-server-install was invoked with arguments
> [] and options: {'no_dns_
> sshfp': None, 'ignore_topology_disconnect': None, 'verbose': False,
> 'ip_addresses': [CheckedIPAddr
> ess('172.31.0.235')], 'domainlevel': None, 'mkhomedir': None,
> 'http_cert_files': None, 'no_ntp': N
> one, 'reverse_zones': None, 'no_forwarders': None, 'external_ca_type':
> None, 'ssh_trust_dns': True
> , 'domain_name': 'ipa.us-west-2.compute.internal', 'idmax': None,
> 'http_cert_name': None, 'dirsrv_
> cert_files': None, 'no_dnssec_validation': None, 'ca_signing_algorithm':
> None, 'no_reverse': None,
> 'subject': None, 'unattended': True, 'auto_reverse': None,
> 'auto_forwarders': None, 'no_host_dns'
> : None, 'no_sshd': None, 'no_ui_redirect': None, 'ignore_last_of_role':
> None, 'realm_name': 'IPA.U
> S-WEST-2.COMPUTE.INTERNAL', 'forwarders':
> [CheckedIPAddress('172.31.0.2')], 'idstart': 5000, 'exte
> rnal_ca': None, 'no_ssh': None, 'external_cert_files': None,
> 'no_hbac_allow': None, 'forward_polic
> y': None, 'dirsrv_cert_name': None, 'ca_cert_files': None, 'zonemgr':
> None, 'quiet': False, 'setup
> _dns': True, 'host_name': 'ip-172-31-0-235.us-west-2.compute.internal',
> 'dirsrv_config_file': None
> , 'log_file': None, 'allow_zone_overlap': None, 'uninstall': False}
> 2016-12-12T21:05:21Z DEBUG IPA version 4.4.0-14.el7.centos
>
> Thank you
> Jay
>
>
Hi,
the ipa cert-show command is communicating with Dogtag, using port 443.
Can you check if Dogtag is properly responding on this port?
$ SSL_DIR=/etc/httpd/alias/ curl -v -E ipaCert:`cat
/etc/httpd/alias/pwdfile.txt`
https://hostname.domainname:443/ca/agent/ca/displayBySerial?serialNumber=1
-o out.html
The issue can be that Dogtag is down, or a SSL issue (the certificate
ipaCert in /etc/httpd/alias is used to authenticate the client to Dogtag).
HTH,
Flo.
More information about the Freeipa-users
mailing list