[Freeipa-users] I think I lost my CA...
Bret Wortman
bret.wortman at damascusgrp.com
Thu May 18 12:58:07 UTC 2017
Oops, the slapd messages are arriving every 60s, not 5m.
On 05/18/2017 08:56 AM, Bret Wortman wrote:
>
> httpd_error seems to give the most information. When i try to use ipa
> cert-show:
>
> ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: ping(): SUCCESS
> (111)Connection refused: AH00957: AJP: attempt to connect to
> 127.0.0.1:8009 (localhost) failed
> AH00959: ap_proxy_connect_backend disabling worker for (locahost) for 60s
> [client 192.168.208.54:52714] AH00896: failed to make connection to
> backend: localhost
> ipa: ERROR: ra.get_certificate(): Unable to communicate with CMS (503)
> ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM:
> cert_show/1(u'895', version=u'2.213'): CertificateOperationError
>
> /var/log/pki/pki-tomcat/ca/debug just loops through the same set of
> messages every 5 minutes or so but doesn't seem to error.
>
> /var/log/pki/localhost_access_log.2017-05-18.txt is basically empty
> except for a single entry (for a POST to /ca/admin/ca/getStatus)
>
> Nothing shows up in dirsrv/slapd-DAMASCUSGRP-COM/errors or access when
> I issue the request, but periodic messages do appear about every 5
> minutes or so.
>
>
> On 05/18/2017 08:43 AM, Bret Wortman wrote:
>> On 04/26/2017 06:02 PM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> So I can see my certs using cert-find, but can't get details using
>>>> cert-show or add new ones using cert-request.
>>>>
>>>> # ipa cert-find
>>>> :
>>>> ------------------------------
>>>> Number of entries returned 385
>>>> ------------------------------
>>>> # ipa cert-show 895
>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (503)
>>>> # ipa cert-show 1 (which does not exist)
>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (503)
>>>> # ipa cert-status 895
>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (503)
>>>> #
>>>>
>>>> Is this an IPV6 thing? Because ipactl shows everything green and
>>>> certmonger is running.
>>> Doubtful.
>>>
>>> cert-find and cert-show use different APIs in dogtag. cert-find uses
>>> the
>>> newer RESTful API and cert-show uses the older XML-based API (and is
>>> authenticated). I'm guessing that is where the issue lies.
>>>
>>> What I'd recommend doing is noting the time, restarting the CA, and
>>> then
>>> plow through the debug log looking for failures. It could be that
>>> the CA
>>> is only partially up (and I'd check your CA subsystem certs as well).
>> Which debug log, specifically, do you think will help? I'm also not
>> sure what you mean by, "check your CA subsystem certs." We still have
>> pending CSRs that we can't grant until I get this working again.
>>> rob
>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>>>> Digging still deeper:
>>>>>
>>>>> # ipa cert-request f.f
>>>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>> communicate with CMS (503)
>>>>>
>>>>> Looks like this is an HTTP error; so is it possible that my IPA
>>>>> thinks
>>>>> it has a CA but there's no CMS available?
>>>>>
>>>>>
>>>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>>>> the New Certificate dialog:
>>>>>>
>>>>>> Empty string passed to getElementById(). (5)
>>>>>> jquery.js:4:1060
>>>>>> TypeError: u is undefined
>>>>>> app.js:1:362059
>>>>>> Empty string passed to getElementById(). (5)
>>>>>> jquery.js:4:1060
>>>>>> TypeError: t is undefined
>>>>>> app.js:1:217432
>>>>>>
>>>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>>>
>>>>>>
>>>>>> Bret
>>>>>>
>>>>>>
>>>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>>>> "Action -> New Certificate" not do anything on this or any other
>>>>>>> server?
>>>>>>>
>>>>>>>
>>>>>>> Bret
>>>>>>>
>>>>>>>
>>>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>>>> past month or so.
>>>>>>>>
>>>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>>>> their web server. All was good until I went to the IPA UI and
>>>>>>>> tried
>>>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>>>> and no error, either.
>>>>>>>>
>>>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>>>> the CA.
>>>>>>>>
>>>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>>>
>>>>>>>> # ipa ca-find
>>>>>>>> ------------
>>>>>>>> 1 CA matched
>>>>>>>> ------------
>>>>>>>> Name: ipa
>>>>>>>> Description IPA CA
>>>>>>>> Authority ID: 3ce3346[...]
>>>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>>>> ----------------------------
>>>>>>>> Number of entries returned 1
>>>>>>>> ----------------------------
>>>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>>>> O=DAMASCUSGRP.COM"
>>>>>>>> ipa: ERROR: Failed to authenticate to CA REST API
>>>>>>>> # klist
>>>>>>>> Ticket cache: KEYRING:persistent:0:0
>>>>>>>> Default principal: admin at DAMASCUSGRP.COM
>>>>>>>>
>>>>>>>> Valid starting Expires Service principal
>>>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>>>> #
>>>>>>>>
>>>>>>>>
>>>>>>>> What's my best path of recovery?
>>>>>>>>
>>>>>>>> --
>>>>>>>> *Bret Wortman*
>>>>>>>> The Damascus Group
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/20d19a1c/attachment.htm>
More information about the Freeipa-users
mailing list