[Freeipa-users] I think I lost my CA...

Bret Wortman bret.wortman at damascusgrp.com
Thu May 18 12:58:07 UTC 2017 

Oops, the slapd messages are arriving every 60s, not 5m.


On 05/18/2017 08:56 AM, Bret Wortman wrote:
>
> httpd_error seems to give the most information. When i try to use ipa 
> cert-show:
>
> ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: ping(): SUCCESS
> (111)Connection refused: AH00957: AJP: attempt to connect to 
> 127.0.0.1:8009 (localhost) failed
> AH00959: ap_proxy_connect_backend disabling worker for (locahost) for 60s
> [client 192.168.208.54:52714] AH00896: failed to make connection to 
> backend: localhost
> ipa: ERROR: ra.get_certificate(): Unable to communicate with CMS (503)
> ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: 
> cert_show/1(u'895', version=u'2.213'): CertificateOperationError
>
> /var/log/pki/pki-tomcat/ca/debug just loops through the same set of 
> messages every 5 minutes or so but doesn't seem to error.
>
> /var/log/pki/localhost_access_log.2017-05-18.txt is basically empty 
> except for a single entry (for a POST to /ca/admin/ca/getStatus)
>
> Nothing shows up in dirsrv/slapd-DAMASCUSGRP-COM/errors or access when 
> I issue the request, but periodic messages do appear about every 5 
> minutes or so.
>
>
> On 05/18/2017 08:43 AM, Bret Wortman wrote:
>> On 04/26/2017 06:02 PM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> So I can see my certs using cert-find, but can't get details using
>>>> cert-show or add new ones using cert-request.
>>>>
>>>>      # ipa cert-find
>>>>      :
>>>>      ------------------------------
>>>>      Number of entries returned 385
>>>>      ------------------------------
>>>>      # ipa cert-show 895
>>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>      communicate with CMS (503)
>>>>      # ipa cert-show 1 (which does not exist)
>>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>      communicate with CMS (503)
>>>>      # ipa cert-status 895
>>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>      communicate with CMS (503)
>>>>      #
>>>>
>>>> Is this an IPV6 thing? Because ipactl shows everything green and
>>>> certmonger is running.
>>> Doubtful.
>>>
>>> cert-find and cert-show use different APIs in dogtag. cert-find uses 
>>> the
>>> newer RESTful API and cert-show uses the older XML-based API (and is
>>> authenticated). I'm guessing that is where the issue lies.
>>>
>>> What I'd recommend doing is noting the time, restarting the CA, and 
>>> then
>>> plow through the debug log looking for failures. It could be that 
>>> the CA
>>> is only partially up (and I'd check your CA subsystem certs as well).
>> Which debug log, specifically, do you think will help? I'm also not 
>> sure what you mean by, "check your CA subsystem certs." We still have 
>> pending CSRs that we can't grant until I get this working again.
>>> rob
>>>
>>>> Bret
>>>>
>>>>
>>>> On 04/26/2017 09:03 AM, Bret Wortman wrote:
>>>>> Digging still deeper:
>>>>>
>>>>>      # ipa cert-request f.f 
>>>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM
>>>>>      ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>>>      communicate with CMS (503)
>>>>>
>>>>> Looks like this is an HTTP error; so is it possible that my IPA 
>>>>> thinks
>>>>> it has a CA but there's no CMS available?
>>>>>
>>>>>
>>>>> On 04/26/2017 08:41 AM, Bret Wortman wrote:
>>>>>> Using the firefox debugger, I get these errors when trying to pop up
>>>>>> the New Certificate dialog:
>>>>>>
>>>>>>      Empty string passed to getElementById().             (5)
>>>>>>      jquery.js:4:1060
>>>>>>      TypeError: u is undefined
>>>>>>      app.js:1:362059
>>>>>>      Empty string passed to getElementById().             (5)
>>>>>>      jquery.js:4:1060
>>>>>>      TypeError: t is undefined
>>>>>>      app.js:1:217432
>>>>>>
>>>>>> I'm definitely not a web kind of guy so I'm not sure if this is
>>>>>> helpful or not. This is on 4.4.0, API Version 2.213.
>>>>>>
>>>>>>
>>>>>> Bret
>>>>>>
>>>>>>
>>>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote:
>>>>>>> Good news. One of my servers _does_ have CA installed. So why does
>>>>>>> "Action -> New Certificate" not do anything on this or any other 
>>>>>>> server?
>>>>>>>
>>>>>>>
>>>>>>> Bret
>>>>>>>
>>>>>>>
>>>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote:
>>>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went
>>>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the
>>>>>>>> past month or so.
>>>>>>>>
>>>>>>>> Today, someone came and asked me to generate a new certificate for
>>>>>>>> their web server. All was good until I went to the IPA UI and 
>>>>>>>> tried
>>>>>>>> to perform Actions->New Certificate, which did nothing. I tried
>>>>>>>> each of our 3 servers in turn. All came back with no popup window
>>>>>>>> and no error, either.
>>>>>>>>
>>>>>>>> I suspect the problem might be that we no longer have a CA server
>>>>>>>> due to the method I used to upgrade the servers. I likely missed a
>>>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over
>>>>>>>> the CA.
>>>>>>>>
>>>>>>>> What's my best hope of recovery? I never ran this before, so I'm
>>>>>>>> not sure if this shows that I'm missing a CA or not:
>>>>>>>>
>>>>>>>>      # ipa ca-find
>>>>>>>>      ------------
>>>>>>>>      1 CA matched
>>>>>>>>      ------------
>>>>>>>>        Name: ipa
>>>>>>>>        Description IPA CA
>>>>>>>>        Authority ID: 3ce3346[...]
>>>>>>>>        Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
>>>>>>>>        Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
>>>>>>>>      ----------------------------
>>>>>>>>      Number of entries returned 1
>>>>>>>>      ----------------------------
>>>>>>>>      # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
>>>>>>>>      O=DAMASCUSGRP.COM"
>>>>>>>>      ipa: ERROR: Failed to authenticate to CA REST API
>>>>>>>>      # klist
>>>>>>>>      Ticket cache: KEYRING:persistent:0:0
>>>>>>>>      Default principal: admin at DAMASCUSGRP.COM
>>>>>>>>
>>>>>>>>      Valid starting      Expires Service principal
>>>>>>>>      04/25/2017 18:48:26 04/26/2017 18:48:21
>>>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
>>>>>>>>      #
>>>>>>>>
>>>>>>>>
>>>>>>>> What's my best path of recovery?
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> *Bret Wortman*
>>>>>>>> The Damascus Group
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/20d19a1c/attachment.htm>

More information about the Freeipa-users mailing list