[Freeipa-users] I think I lost my CA...
Bret Wortman
bret.wortman at damascusgrp.com
Wed Apr 26 14:45:37 UTC 2017
On 04/26/2017 10:22 AM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> Digging still deeper:
>>
>> # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>> communicate with CMS (503)
>>
>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>> it has a CA but there's no CMS available?
> Apache proxies requests to the CA so there could be a mismatch I
> suppose. I'd ensure that the pki processes are running on the box for
> starters and then dig into the CA debug log for more details.
Is that /var/log/pki/pki-tomcat/ca/debug? If so, then nothing happens in
it during the above operations.
As you noted, apache produces the following when trying to show a valid
cert even though there's nothing in what I think is the pki ca debug
log. ps aux shows pki processes alive, at least, and in ownership of the
8009 port (verified by lsof).
[Wed Apr 26 14:38:48.157961 2017] [:error] [pid 15801] ipa: INFO:
[jsonserver_session] admin at DAMASCUSGRP.COM: ping(): SUCCESS
[Wed Apr 26 14:38:48.247040 2017] [proxy:error] [pid 15804]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8009 (localhost) failed
[Wed Apr 26 14:38:48.247072 2017] [proxy:error] [pid 15804] AH00959:
ap_proxy_connect_)backend disabling worker for (localhost) for 60s
[Wed Apr 26 14:38:48.247078 2017] [proxy_ajp:error] [pid 15804] [client
192.168.208.54:56618] AH00896: failed to make connection to backend:
localhost
[Wed Apr 26 14:38:48.247531 2017] [:error] [pid 15800] ipa: ERROR:
ra.get_certificate(): Unable to communicate with CMS (503)
[Wed Apr 26 14:38:48.247765 2017] [:error] [pid 15800] ipa: INFO:
[jsonserver_session] admin at DAMASCUSGRP.COM: cert_show/1(u'895',
version=u'2.213'): CertificateOperationError
>
> rob
>>
>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>> Using the firefox debugger, I get these errors when trying to pop up
>>> the New Certificate dialog:
>>>
>>> Empty string passed to getElementById(). (5)
>>> jquery.js:4:1060
>>> TypeError: u is undefined
>>> app.js:1:362059
>>> Empty string passed to getElementById(). (5)
>>> jquery.js:4:1060
>>> TypeError: t is undefined
>>> app.js:1:217432
>>>
>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>
>>>
>>> Bret
>>>
>>>
>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>> "Action -> New Certificate" not do anything on this or any other server?
>>>>
>>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>> past month or so.
>>>>>
>>>>> Today, someone came and asked me to generate a new certificate for
>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>> to perform Actions->New Certificate, which did nothing. I tried each
>>>>> of our 3 servers in turn. All came back with no popup window and no
>>>>> error, either.
>>>>>
>>>>> I suspect the problem might be that we no longer have a CA server
>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>> the CA.
>>>>>
>>>>> What's my best hope of recovery? I never ran this before, so I'm not
>>>>> sure if this shows that I'm missing a CA or not:
>>>>>
>>>>> # ipa ca-find
>>>>> ------------
>>>>> 1 CA matched
>>>>> ------------
>>>>> Name: ipa
>>>>> Description IPA CA
>>>>> Authority ID: 3ce3346[...]
>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>> ----------------------------
>>>>> Number of entries returned 1
>>>>> ----------------------------
>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>> O=DAMASCUSGRP.COM"
>>>>> ipa: ERROR: Failed to authenticate to CA REST API
>>>>> # klist
>>>>> Ticket cache: KEYRING:persistent:0:0
>>>>> Default principal: admin at DAMASCUSGRP.COM
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>> #
>>>>>
>>>>>
>>>>> What's my best path of recovery?
>>>>>
>>>>> --
>>>>> *Bret Wortman*
>>>>> The Damascus Group
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/cd774e87/attachment.htm>
More information about the Freeipa-users
mailing list