[Freeipa-users] I think I lost my CA...

Bret Wortman bret.wortman at damascusgrp.com
Wed Apr 26 13:03:54 UTC 2017 

Digging still deeper:

    # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
    ipa: ERROR: Certificate operation cannot be completed: Unable to
    communicate with CMS (503)

Looks like this is an HTTP error; so is it possible that my IPA thinks 
it has a CA but there's no CMS available?


On 04/26/2017 08:41 AM, Bret Wortman wrote:
>
> Using the firefox debugger, I get these errors when trying to pop up 
> the New Certificate dialog:
>
>     Empty string passed to getElementById().             (5)
>     jquery.js:4:1060
>     TypeError: u is undefined app.js:1:362059
>     Empty string passed to getElementById().             (5)
>     jquery.js:4:1060
>     TypeError: t is undefined app.js:1:217432
>
> I'm definitely not a web kind of guy so I'm not sure if this is 
> helpful or not. This is on 4.4.0, API Version 2.213.
>
>
> Bret
>
>
> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>
>> Good news. One of my servers _does_ have CA installed. So why does 
>> "Action -> New Certificate" not do anything on this or any other server?
>>
>>
>> Bret
>>
>>
>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>
>>> I recently had to upgrade all my Fedora IPA servers to C7. It went 
>>> well, and we've been up and running nicely on 4.4.0 on C7 for the 
>>> past month or so.
>>>
>>> Today, someone came and asked me to generate a new certificate for 
>>> their web server. All was good until I went to the IPA UI and tried 
>>> to perform Actions->New Certificate, which did nothing. I tried each 
>>> of our 3 servers in turn. All came back with no popup window and no 
>>> error, either.
>>>
>>> I suspect the problem might be that we no longer have a CA server 
>>> due to the method I used to upgrade the servers. I likely missed a 
>>> "--setup-ca" in there somewhere, so my rolling update rolled over 
>>> the CA.
>>>
>>> What's my best hope of recovery? I never ran this before, so I'm not 
>>> sure if this shows that I'm missing a CA or not:
>>>
>>>     # ipa ca-find
>>>     ------------
>>>     1 CA matched
>>>     ------------
>>>       Name: ipa
>>>       Description IPA CA
>>>       Authority ID: 3ce3346[...]
>>>       Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>       Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>     ----------------------------
>>>     Number of entries returned 1
>>>     ----------------------------
>>>     # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>     O=DAMASCUSGRP.COM"
>>>     ipa: ERROR: Failed to authenticate to CA REST API
>>>     # klist
>>>     Ticket cache: KEYRING:persistent:0:0
>>>     Default principal: admin at DAMASCUSGRP.COM
>>>
>>>     Valid starting      Expires              Service principal
>>>     04/25/2017 18:48:26 04/26/2017 18:48:21
>>>     krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>     #
>>>
>>>
>>> What's my best path of recovery?
>>>
>>> -- 
>>> *Bret Wortman*
>>> The Damascus Group
>>>
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/612f311e/attachment.htm>

More information about the Freeipa-users mailing list