[Freeipa-users] I think I lost my CA...

Petr Vobornik pvoborni at redhat.com
Thu May 4 11:31:25 UTC 2017 

On 04/28/2017 02:57 PM, Bret Wortman wrote:
> Flo,
>
> I did find that issue and made those corrections to our /etc/hosts file,
> but the problem persists.
>
> Thanks for the idea!

after the change did you restart pki?

>
>
> Bret
>
>
>
> On 04/27/2017 03:42 AM, Florence Blanc-Renaud wrote:
>> On 04/26/2017 04:33 PM, Bret Wortman wrote:
>>> So I can see my certs using cert-find, but can't get details using
>>> cert-show or add new ones using cert-request.
>>>
>>>     # ipa cert-find
>>>     :
>>>     ------------------------------
>>>     Number of entries returned 385
>>>     ------------------------------
>>>     # ipa cert-show 895
>>>     ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>     communicate with CMS (503)
>>>     # ipa cert-show 1 (which does not exist)
>>>     ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>     communicate with CMS (503)
>>>     # ipa cert-status 895
>>>     ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>     communicate with CMS (503)
>>>     #
>>>
>>> Is this an IPV6 thing? Because ipactl shows everything green and
>>> certmonger is running.
>>>
>> Hi Bret,
>>
>> the issue looks similar to https://pagure.io/freeipa/issue/6575 and
>> https://pagure.io/dogtagpki/issue/2570 which were IPv6 related. Note
>> that IPv6 must be enabled on the machine but IPA does not require an
>> IPv6 address to be configured (except for the loopback).
>>
>> You can check the following:
>> - is PKI listening to port 8009 on IPv6 or IPv4 interface?
>> sudo netstat -tunpl | grep 8009
>> tcp6       0      0 127.0.0.1:8009          :::* LISTEN 10749/java
>>
>> - /etc/pki/pki-tomcat/server.xml defines a redirection from port 8009
>> to 8443, and the "address" part is important:
>>     <Connector port="8009"
>>             protocol="AJP/1.3"
>>             redirectPort="8443"
>>             address="localhost" />
>>
>> In the above example, it will be using localhost which can resolve
>> either to IPv4 or IPv6.
>>
>> - /etc/hosts must define the loopback addresses with
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1         localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>>
>> HTH,
>> Flo.
>>> Bret
>>>
>>>
>>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>>>
>>>> Digging still deeper:
>>>>
>>>>     # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>>>     ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>     communicate with CMS (503)
>>>>
>>>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>>>> it has a CA but there's no CMS available?
>>>>
>>>>
>>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>>>
>>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>>> the New Certificate dialog:
>>>>>
>>>>>     Empty string passed to getElementById().             (5)
>>>>>     jquery.js:4:1060
>>>>>     TypeError: u is undefined
>>>>>     app.js:1:362059
>>>>>     Empty string passed to getElementById().             (5)
>>>>>     jquery.js:4:1060
>>>>>     TypeError: t is undefined
>>>>>     app.js:1:217432
>>>>>
>>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>>
>>>>>
>>>>> Bret
>>>>>
>>>>>
>>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>>>
>>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>>> "Action -> New Certificate" not do anything on this or any other
>>>>>> server?
>>>>>>
>>>>>>
>>>>>> Bret
>>>>>>
>>>>>>
>>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>>>
>>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>>> past month or so.
>>>>>>>
>>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>>> and no error, either.
>>>>>>>
>>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>>> the CA.
>>>>>>>
>>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>>
>>>>>>>     # ipa ca-find
>>>>>>>     ------------
>>>>>>>     1 CA matched
>>>>>>>     ------------
>>>>>>>       Name: ipa
>>>>>>>       Description IPA CA
>>>>>>>       Authority ID: 3ce3346[...]
>>>>>>>       Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>>>       Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>>>     ----------------------------
>>>>>>>     Number of entries returned 1
>>>>>>>     ----------------------------
>>>>>>>     # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>>>     O=DAMASCUSGRP.COM"
>>>>>>>     ipa: ERROR: Failed to authenticate to CA REST API
>>>>>>>     # klist
>>>>>>>     Ticket cache: KEYRING:persistent:0:0
>>>>>>>     Default principal: admin at DAMASCUSGRP.COM
>>>>>>>
>>>>>>>     Valid starting      Expires              Service principal
>>>>>>>     04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>>>     krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>>>     #
>>>>>>>
>>>>>>>
>>>>>>> What's my best path of recovery?
>>>>>>>
>>>>>>> --
>>>>>>> *Bret Wortman*
>>>>>>> The Damascus Group
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>


-- 
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat

More information about the Freeipa-users mailing list