[Freeipa-users] I think I lost my CA...
Bret Wortman
bret.wortman at damascusgrp.com
Wed Apr 26 14:33:43 UTC 2017
So I can see my certs using cert-find, but can't get details using
cert-show or add new ones using cert-request.
# ipa cert-find
:
------------------------------
Number of entries returned 385
------------------------------
# ipa cert-show 895
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
# ipa cert-show 1 (which does not exist)
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
# ipa cert-status 895
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
#
Is this an IPV6 thing? Because ipactl shows everything green and
certmonger is running.
Bret
On 04/26/2017 09:03 AM, Bret Wortman wrote:
>
> Digging still deeper:
>
> # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (503)
>
> Looks like this is an HTTP error; so is it possible that my IPA thinks
> it has a CA but there's no CMS available?
>
>
> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>
>> Using the firefox debugger, I get these errors when trying to pop up
>> the New Certificate dialog:
>>
>> Empty string passed to getElementById(). (5)
>> jquery.js:4:1060
>> TypeError: u is undefined app.js:1:362059
>> Empty string passed to getElementById(). (5)
>> jquery.js:4:1060
>> TypeError: t is undefined app.js:1:217432
>>
>> I'm definitely not a web kind of guy so I'm not sure if this is
>> helpful or not. This is on 4.4.0, API Version 2.213.
>>
>>
>> Bret
>>
>>
>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>
>>> Good news. One of my servers _does_ have CA installed. So why does
>>> "Action -> New Certificate" not do anything on this or any other server?
>>>
>>>
>>> Bret
>>>
>>>
>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>
>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>> past month or so.
>>>>
>>>> Today, someone came and asked me to generate a new certificate for
>>>> their web server. All was good until I went to the IPA UI and tried
>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>> each of our 3 servers in turn. All came back with no popup window
>>>> and no error, either.
>>>>
>>>> I suspect the problem might be that we no longer have a CA server
>>>> due to the method I used to upgrade the servers. I likely missed a
>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>> the CA.
>>>>
>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>> not sure if this shows that I'm missing a CA or not:
>>>>
>>>> # ipa ca-find
>>>> ------------
>>>> 1 CA matched
>>>> ------------
>>>> Name: ipa
>>>> Description IPA CA
>>>> Authority ID: 3ce3346[...]
>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>> ----------------------------
>>>> Number of entries returned 1
>>>> ----------------------------
>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>> O=DAMASCUSGRP.COM"
>>>> ipa: ERROR: Failed to authenticate to CA REST API
>>>> # klist
>>>> Ticket cache: KEYRING:persistent:0:0
>>>> Default principal: admin at DAMASCUSGRP.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21
>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>> #
>>>>
>>>>
>>>> What's my best path of recovery?
>>>>
>>>> --
>>>> *Bret Wortman*
>>>> The Damascus Group
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/268390c9/attachment.htm>
More information about the Freeipa-users
mailing list