[Freeipa-users] I think I lost my CA...

Bret Wortman bret.wortman at damascusgrp.com
Tue May 2 14:58:10 UTC 2017 

The closest I found was this:

[02/May/2017:14:33:57][localhost-startStop-1]: No rule can be found for 
publishing: cacert
[02/May/2017:14:33:37][localhost-startStop-1]: published ca cert
[02/May/2017:14:33:37][localhost-startStop-1]: CMSEngine: ca startup done


On 05/02/2017 10:50 AM, Bret Wortman wrote:
> I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps 
> out as looking like an error.
>
> The cert-show failure is troubling, but my inability to get CSRs 
> turned into certs is what's actually driving this.
>
>
> Bret
>
>
> On 04/26/2017 06:02 PM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>> So I can see my certs using cert-find, but can't get details using
>>> cert-show or add new ones using cert-request.
>>>
>>>      # ipa cert-find
>>>      :
>>>      ------------------------------
>>>      Number of entries returned 385
>>>      ------------------------------
>>>      # ipa cert-show 895
>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>      communicate with CMS (503)
>>>      # ipa cert-show 1 (which does not exist)
>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>      communicate with CMS (503)
>>>      # ipa cert-status 895
>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>      communicate with CMS (503)
>>>      #
>>>
>>> Is this an IPV6 thing? Because ipactl shows everything green and
>>> certmonger is running.
>> Doubtful.
>>
>> cert-find and cert-show use different APIs in dogtag. cert-find uses the
>> newer RESTful API and cert-show uses the older XML-based API (and is
>> authenticated). I'm guessing that is where the issue lies.
>>
>> What I'd recommend doing is noting the time, restarting the CA, and then
>> plow through the debug log looking for failures. It could be that the CA
>> is only partially up (and I'd check your CA subsystem certs as well).
>>
>> rob
>>
>>> Bret
>>>
>>>
>>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>>> Digging still deeper:
>>>>
>>>>      # ipa cert-request f.f 
>>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>      communicate with CMS (503)
>>>>
>>>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>>>> it has a CA but there's no CMS available?
>>>>
>>>>
>>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>>> the New Certificate dialog:
>>>>>
>>>>>      Empty string passed to getElementById(). (5)
>>>>>      jquery.js:4:1060
>>>>>      TypeError: u is undefined
>>>>>      app.js:1:362059
>>>>>      Empty string passed to getElementById(). (5)
>>>>>      jquery.js:4:1060
>>>>>      TypeError: t is undefined
>>>>>      app.js:1:217432
>>>>>
>>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>>
>>>>>
>>>>> Bret
>>>>>
>>>>>
>>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>>> "Action -> New Certificate" not do anything on this or any other 
>>>>>> server?
>>>>>>
>>>>>>
>>>>>> Bret
>>>>>>
>>>>>>
>>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>>> past month or so.
>>>>>>>
>>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>>> and no error, either.
>>>>>>>
>>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>>> the CA.
>>>>>>>
>>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>>
>>>>>>>      # ipa ca-find
>>>>>>>      ------------
>>>>>>>      1 CA matched
>>>>>>>      ------------
>>>>>>>        Name: ipa
>>>>>>>        Description IPA CA
>>>>>>>        Authority ID: 3ce3346[...]
>>>>>>>        Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>>>        Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>>>      ----------------------------
>>>>>>>      Number of entries returned 1
>>>>>>>      ----------------------------
>>>>>>>      # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>>>      O=DAMASCUSGRP.COM"
>>>>>>>      ipa: ERROR: Failed to authenticate to CA REST API
>>>>>>>      # klist
>>>>>>>      Ticket cache: KEYRING:persistent:0:0
>>>>>>>      Default principal: admin at DAMASCUSGRP.COM
>>>>>>>
>>>>>>>      Valid starting      Expires              Service principal
>>>>>>>      04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>>>      krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>>>      #
>>>>>>>
>>>>>>>
>>>>>>> What's my best path of recovery?
>>>>>>>
>>>>>>> -- 
>>>>>>> *Bret Wortman*
>>>>>>> The Damascus Group
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170502/3497b6db/attachment.htm>

More information about the Freeipa-users mailing list