[Freeipa-users] I think I lost my CA...

Tue May 2 14:50:21 UTC 2017

I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps out 
as looking like an error.

The cert-show failure is troubling, but my inability to get CSRs turned 
into certs is what's actually driving this.

Bret

On 04/26/2017 06:02 PM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> So I can see my certs using cert-find, but can't get details using
>> cert-show or add new ones using cert-request.
>>
>>      # ipa cert-find
>>      :
>>      ------------------------------
>>      Number of entries returned 385
>>      ------------------------------
>>      # ipa cert-show 895
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>      # ipa cert-show 1 (which does not exist)
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>      # ipa cert-status 895
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>      #
>>
>> Is this an IPV6 thing? Because ipactl shows everything green and
>> certmonger is running.
> Doubtful.
>
> cert-find and cert-show use different APIs in dogtag. cert-find uses the
> newer RESTful API and cert-show uses the older XML-based API (and is
> authenticated). I'm guessing that is where the issue lies.
>
> What I'd recommend doing is noting the time, restarting the CA, and then
> plow through the debug log looking for failures. It could be that the CA
> is only partially up (and I'd check your CA subsystem certs as well).
>
> rob
>
>> Bret
>>
>>
>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>> Digging still deeper:
>>>
>>>      # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>      communicate with CMS (503)
>>>
>>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>>> it has a CA but there's no CMS available?
>>>
>>>
>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>> the New Certificate dialog:
>>>>
>>>>      Empty string passed to getElementById().             (5)
>>>>      jquery.js:4:1060
>>>>      TypeError: u is undefined
>>>>      app.js:1:362059
>>>>      Empty string passed to getElementById().             (5)
>>>>      jquery.js:4:1060
>>>>      TypeError: t is undefined
>>>>      app.js:1:217432
>>>>
>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>
>>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>> "Action -> New Certificate" not do anything on this or any other server?
>>>>>
>>>>>
>>>>> Bret
>>>>>
>>>>>
>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>> past month or so.
>>>>>>
>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>> and no error, either.
>>>>>>
>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>> the CA.
>>>>>>
>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>
>>>>>>      # ipa ca-find
>>>>>>      ------------
>>>>>>      1 CA matched
>>>>>>      ------------
>>>>>>        Name: ipa
>>>>>>        Description IPA CA
>>>>>>        Authority ID: 3ce3346[...]
>>>>>>        Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>>        Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>>      ----------------------------
>>>>>>      Number of entries returned 1
>>>>>>      ----------------------------
>>>>>>      # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>>      O=DAMASCUSGRP.COM"
>>>>>>      ipa: ERROR: Failed to authenticate to CA REST API
>>>>>>      # klist
>>>>>>      Ticket cache: KEYRING:persistent:0:0
>>>>>>      Default principal: admin at DAMASCUSGRP.COM
>>>>>>
>>>>>>      Valid starting      Expires              Service principal
>>>>>>      04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>>      krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>>      #
>>>>>>
>>>>>>
>>>>>> What's my best path of recovery?
>>>>>>
>>>>>> -- 
>>>>>> *Bret Wortman*
>>>>>> The Damascus Group
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>