[Freeipa-users] I think I lost my CA...
Bret Wortman
bret.wortman at damascusgrp.com
Fri Apr 28 12:57:48 UTC 2017
Flo,
I did find that issue and made those corrections to our /etc/hosts file,
but the problem persists.
Thanks for the idea!
Bret
On 04/27/2017 03:42 AM, Florence Blanc-Renaud wrote:
> On 04/26/2017 04:33 PM, Bret Wortman wrote:
>> So I can see my certs using cert-find, but can't get details using
>> cert-show or add new ones using cert-request.
>>
>> # ipa cert-find
>> :
>> ------------------------------
>> Number of entries returned 385
>> ------------------------------
>> # ipa cert-show 895
>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>> communicate with CMS (503)
>> # ipa cert-show 1 (which does not exist)
>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>> communicate with CMS (503)
>> # ipa cert-status 895
>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>> communicate with CMS (503)
>> #
>>
>> Is this an IPV6 thing? Because ipactl shows everything green and
>> certmonger is running.
>>
> Hi Bret,
>
> the issue looks similar to https://pagure.io/freeipa/issue/6575 and
> https://pagure.io/dogtagpki/issue/2570 which were IPv6 related. Note
> that IPv6 must be enabled on the machine but IPA does not require an
> IPv6 address to be configured (except for the loopback).
>
> You can check the following:
> - is PKI listening to port 8009 on IPv6 or IPv4 interface?
> sudo netstat -tunpl | grep 8009
> tcp6 0 0 127.0.0.1:8009 :::* LISTEN 10749/java
>
> - /etc/pki/pki-tomcat/server.xml defines a redirection from port 8009
> to 8443, and the "address" part is important:
> <Connector port="8009"
> protocol="AJP/1.3"
> redirectPort="8443"
> address="localhost" />
>
> In the above example, it will be using localhost which can resolve
> either to IPv4 or IPv6.
>
> - /etc/hosts must define the loopback addresses with
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
>
> HTH,
> Flo.
>> Bret
>>
>>
>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>>
>>> Digging still deeper:
>>>
>>> # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>> communicate with CMS (503)
>>>
>>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>>> it has a CA but there's no CMS available?
>>>
>>>
>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>>
>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>> the New Certificate dialog:
>>>>
>>>> Empty string passed to getElementById(). (5)
>>>> jquery.js:4:1060
>>>> TypeError: u is undefined
>>>> app.js:1:362059
>>>> Empty string passed to getElementById(). (5)
>>>> jquery.js:4:1060
>>>> TypeError: t is undefined
>>>> app.js:1:217432
>>>>
>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>
>>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>>
>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>> "Action -> New Certificate" not do anything on this or any other
>>>>> server?
>>>>>
>>>>>
>>>>> Bret
>>>>>
>>>>>
>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>>
>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>> past month or so.
>>>>>>
>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>> and no error, either.
>>>>>>
>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>> the CA.
>>>>>>
>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>
>>>>>> # ipa ca-find
>>>>>> ------------
>>>>>> 1 CA matched
>>>>>> ------------
>>>>>> Name: ipa
>>>>>> Description IPA CA
>>>>>> Authority ID: 3ce3346[...]
>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>> ----------------------------
>>>>>> Number of entries returned 1
>>>>>> ----------------------------
>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>> O=DAMASCUSGRP.COM"
>>>>>> ipa: ERROR: Failed to authenticate to CA REST API
>>>>>> # klist
>>>>>> Ticket cache: KEYRING:persistent:0:0
>>>>>> Default principal: admin at DAMASCUSGRP.COM
>>>>>>
>>>>>> Valid starting Expires Service principal
>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>> #
>>>>>>
>>>>>>
>>>>>> What's my best path of recovery?
>>>>>>
>>>>>> --
>>>>>> *Bret Wortman*
>>>>>> The Damascus Group
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
More information about the Freeipa-users
mailing list