[Freeipa-users] I think I lost my CA...

Bret Wortman bret.wortman at damascusgrp.com
Thu May 18 12:43:48 UTC 2017 

On 04/26/2017 06:02 PM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> So I can see my certs using cert-find, but can't get details using
>> cert-show or add new ones using cert-request.
>>
>>      # ipa cert-find
>>      :
>>      ------------------------------
>>      Number of entries returned 385
>>      ------------------------------
>>      # ipa cert-show 895
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>      # ipa cert-show 1 (which does not exist)
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>      # ipa cert-status 895
>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>      communicate with CMS (503)
>>      #
>>
>> Is this an IPV6 thing? Because ipactl shows everything green and
>> certmonger is running.
> Doubtful.
>
> cert-find and cert-show use different APIs in dogtag. cert-find uses the
> newer RESTful API and cert-show uses the older XML-based API (and is
> authenticated). I'm guessing that is where the issue lies.
>
> What I'd recommend doing is noting the time, restarting the CA, and then
> plow through the debug log looking for failures. It could be that the CA
> is only partially up (and I'd check your CA subsystem certs as well).
Which debug log, specifically, do you think will help? I'm also not sure 
what you mean by, "check your CA subsystem certs." We still have pending 
CSRs that we can't grant until I get this working again.
> rob
>
>> Bret
>>
>>
>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>> Digging still deeper:
>>>
>>>      # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>      communicate with CMS (503)
>>>
>>> Looks like this is an HTTP error; so is it possible that my IPA thinks
>>> it has a CA but there's no CMS available?
>>>
>>>
>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>> the New Certificate dialog:
>>>>
>>>>      Empty string passed to getElementById().             (5)
>>>>      jquery.js:4:1060
>>>>      TypeError: u is undefined
>>>>      app.js:1:362059
>>>>      Empty string passed to getElementById().             (5)
>>>>      jquery.js:4:1060
>>>>      TypeError: t is undefined
>>>>      app.js:1:217432
>>>>
>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>
>>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>> "Action -> New Certificate" not do anything on this or any other server?
>>>>>
>>>>>
>>>>> Bret
>>>>>
>>>>>
>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>> past month or so.
>>>>>>
>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>> their web server. All was good until I went to the IPA UI and tried
>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>> and no error, either.
>>>>>>
>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>> the CA.
>>>>>>
>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>
>>>>>>      # ipa ca-find
>>>>>>      ------------
>>>>>>      1 CA matched
>>>>>>      ------------
>>>>>>        Name: ipa
>>>>>>        Description IPA CA
>>>>>>        Authority ID: 3ce3346[...]
>>>>>>        Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>>        Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>>      ----------------------------
>>>>>>      Number of entries returned 1
>>>>>>      ----------------------------
>>>>>>      # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>>      O=DAMASCUSGRP.COM"
>>>>>>      ipa: ERROR: Failed to authenticate to CA REST API
>>>>>>      # klist
>>>>>>      Ticket cache: KEYRING:persistent:0:0
>>>>>>      Default principal: admin at DAMASCUSGRP.COM
>>>>>>
>>>>>>      Valid starting      Expires              Service principal
>>>>>>      04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>>      krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>>      #
>>>>>>
>>>>>>
>>>>>> What's my best path of recovery?
>>>>>>
>>>>>> -- 
>>>>>> *Bret Wortman*
>>>>>> The Damascus Group
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>

More information about the Freeipa-users mailing list