[Freeipa-users] I think I lost my CA...

Bret Wortman bret.wortman at damascusgrp.com
Wed Apr 26 14:45:37 UTC 2017 


On 04/26/2017 10:22 AM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> Digging still deeper:
>>
>>      # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>
>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>> it has a CA but there's no CMS available?
> Apache proxies requests to the CA so there could be a mismatch I
> suppose. I'd ensure that the pki processes are running on the box for
> starters and then dig into the CA debug log for more details.
Is that /var/log/pki/pki-tomcat/ca/debug? If so, then nothing happens in 
it during the above operations.

As you noted, apache produces the following when trying to show a valid 
cert even though there's nothing in what I think is the pki ca debug 
log. ps aux shows pki processes alive, at least, and in ownership of the 
8009 port (verified by lsof).

[Wed Apr 26 14:38:48.157961 2017] [:error] [pid 15801] ipa: INFO: 
[jsonserver_session] admin at DAMASCUSGRP.COM: ping(): SUCCESS
[Wed Apr 26 14:38:48.247040 2017] [proxy:error] [pid 15804] 
(111)Connection refused: AH00957: AJP: attempt to connect to 
127.0.0.1:8009 (localhost) failed
[Wed Apr 26 14:38:48.247072 2017] [proxy:error] [pid 15804] AH00959: 
ap_proxy_connect_)backend disabling worker for (localhost) for 60s
[Wed Apr 26 14:38:48.247078 2017] [proxy_ajp:error] [pid 15804] [client 
192.168.208.54:56618] AH00896: failed to make connection to backend: 
localhost
[Wed Apr 26 14:38:48.247531 2017] [:error] [pid 15800] ipa: ERROR: 
ra.get_certificate(): Unable to communicate with CMS (503)
[Wed Apr 26 14:38:48.247765 2017] [:error] [pid 15800] ipa: INFO: 
[jsonserver_session] admin at DAMASCUSGRP.COM: cert_show/1(u'895', 
version=u'2.213'): CertificateOperationError



>
> rob
>>
>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>> Using the firefox debugger, I get these errors when trying to pop up
>>> the New Certificate dialog:
>>>
>>>      Empty string passed to getElementById().             (5)
>>>      jquery.js:4:1060
>>>      TypeError: u is undefined
>>>      app.js:1:362059
>>>      Empty string passed to getElementById().             (5)
>>>      jquery.js:4:1060
>>>      TypeError: t is undefined
>>>      app.js:1:217432
>>>
>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>
>>>
>>> Bret
>>>
>>>
>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>> "Action -> New Certificate" not do anything on this or any other server?
>>>>
>>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>> past month or so.
>>>>>
>>>>> Today, someone came and asked me to generate a new certificate for
>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>> to perform Actions->New Certificate, which did nothing. I tried each
>>>>> of our 3 servers in turn. All came back with no popup window and no
>>>>> error, either.
>>>>>
>>>>> I suspect the problem might be that we no longer have a CA server
>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>> the CA.
>>>>>
>>>>> What's my best hope of recovery? I never ran this before, so I'm not
>>>>> sure if this shows that I'm missing a CA or not:
>>>>>
>>>>>      # ipa ca-find
>>>>>      ------------
>>>>>      1 CA matched
>>>>>      ------------
>>>>>        Name: ipa
>>>>>        Description IPA CA
>>>>>        Authority ID: 3ce3346[...]
>>>>>        Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>        Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>      ----------------------------
>>>>>      Number of entries returned 1
>>>>>      ----------------------------
>>>>>      # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>      O=DAMASCUSGRP.COM"
>>>>>      ipa: ERROR: Failed to authenticate to CA REST API
>>>>>      # klist
>>>>>      Ticket cache: KEYRING:persistent:0:0
>>>>>      Default principal: admin at DAMASCUSGRP.COM
>>>>>
>>>>>      Valid starting      Expires              Service principal
>>>>>      04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>      krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>      #
>>>>>
>>>>>
>>>>> What's my best path of recovery?
>>>>>
>>>>> -- 
>>>>> *Bret Wortman*
>>>>> The Damascus Group
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/cd774e87/attachment.htm>

More information about the Freeipa-users mailing list