<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> httpd_error seems to give the most information. When i try to use ipa cert-show: ipa: INFO: [jsonserver_kerb] <a class="moz-txt-link-abbreviated" href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a>: ping(): SUCCESS (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed AH00959: ap_proxy_connect_backend disabling worker for (locahost) for 60s [client 192.168.208.54:52714] AH00896: failed to make connection to backend: localhost ipa: ERROR: ra.get_certificate(): Unable to communicate with CMS (503) ipa: INFO: [jsonserver_kerb] <a class="moz-txt-link-abbreviated" href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a>: cert_show/1(u'895', version=u'2.213'): CertificateOperationError /var/log/pki/pki-tomcat/ca/debug just loops through the same set of messages every 5 minutes or so but doesn't seem to error. /var/log/pki/localhost_access_log.2017-05-18.txt is basically empty except for a single entry (for a POST to /ca/admin/ca/getStatus) Nothing shows up in dirsrv/slapd-DAMASCUSGRP-COM/errors or access when I issue the request, but periodic messages do appear about every 5 minutes or so. <div class="moz-cite-prefix">On 05/18/2017 08:43 AM, Bret Wortman wrote: </div> <blockquote cite="mid:61cd147a-4421-087e-a3b7-5c08aa6908ee@damascusgrp.com" type="cite">On 04/26/2017 06:02 PM, Rob Crittenden wrote: <blockquote type="cite">Bret Wortman wrote: <blockquote type="cite">So I can see my certs using cert-find, but can't get details using cert-show or add new ones using cert-request. 牋牋 # ipa cert-find 牋牋 : 牋牋 ------------------------------ 牋牋 Number of entries returned 385 牋牋 ------------------------------ 牋牋 # ipa cert-show 895 牋牋 ipa: ERROR: Certificate operation cannot be completed: Unable to 牋牋 communicate with CMS (503) 牋牋 # ipa cert-show 1 (which does not exist) 牋牋 ipa: ERROR: Certificate operation cannot be completed: Unable to 牋牋 communicate with CMS (503) 牋牋 # ipa cert-status 895 牋牋 ipa: ERROR: Certificate operation cannot be completed: Unable to 牋牋 communicate with CMS (503) 牋牋 # Is this an IPV6 thing? Because ipactl shows everything green and certmonger is running. </blockquote> Doubtful. cert-find and cert-show use different APIs in dogtag. cert-find uses the newer RESTful API and cert-show uses the older XML-based API (and is authenticated). I'm guessing that is where the issue lies. What I'd recommend doing is noting the time, restarting the CA, and then plow through the debug log looking for failures. It could be that the CA is only partially up (and I'd check your CA subsystem certs as well). </blockquote> Which debug log, specifically, do you think will help? I'm also not sure what you mean by, "check your CA subsystem certs." We still have pending CSRs that we can't grant until I get this working again. <blockquote type="cite">rob <blockquote type="cite">Bret On 04/26/2017 09:03 AM, Bret Wortman wrote: <blockquote type="cite">Digging still deeper: 牋牋 # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM 牋牋 ipa: ERROR: Certificate operation cannot be completed: Unable to 牋牋 communicate with CMS (503) Looks like this is an HTTP error; so is it possible that my IPA thinks it has a CA but there's no CMS available? On 04/26/2017 08:41 AM, Bret Wortman wrote: <blockquote type="cite">Using the firefox debugger, I get these errors when trying to pop up the New Certificate dialog: 牋牋 Empty string passed to getElementById().牋牋牋牋牋牋 (5) 牋牋 jquery.js:4:1060 牋牋 TypeError: u is undefined 牋牋 app.js:1:362059 牋牋 Empty string passed to getElementById().牋牋牋牋牋牋 (5) 牋牋 jquery.js:4:1060 牋牋 TypeError: t is undefined 牋牋 app.js:1:217432 I'm definitely not a web kind of guy so I'm not sure if this is helpful or not. This is on 4.4.0, API Version 2.213. Bret On 04/26/2017 08:35 AM, Bret Wortman wrote: <blockquote type="cite">Good news. One of my servers _does_ have CA installed. So why does "Action -> New Certificate" not do anything on this or any other server? Bret On 04/25/2017 02:52 PM, Bret Wortman wrote: <blockquote type="cite">I recently had to upgrade all my Fedora IPA servers to C7. It went well, and we've been up and running nicely on 4.4.0 on C7 for the past month or so. Today, someone came and asked me to generate a new certificate for their web server. All was good until I went to the IPA UI and tried to perform Actions->New Certificate, which did nothing. I tried each of our 3 servers in turn. All came back with no popup window and no error, either. I suspect the problem might be that we no longer have a CA server due to the method I used to upgrade the servers. I likely missed a "--setup-ca" in there somewhere, so my rolling update rolled over the CA. What's my best hope of recovery? I never ran this before, so I'm not sure if this shows that I'm missing a CA or not: 牋牋 # ipa ca-find 牋牋 ------------ 牋牋 1 CA matched 牋牋 ------------ 牋牋牋 Name: ipa 牋牋牋 Description IPA CA 牋牋牋 Authority ID: 3ce3346[...] 牋牋牋 Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM 牋牋牋 Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM 牋牋 ---------------------------- 牋牋 Number of entries returned 1 牋牋 ---------------------------- 牋牋 # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, 牋牋 O=DAMASCUSGRP.COM" 牋牋 ipa: ERROR: Failed to authenticate to CA REST API 牋牋 # klist 牋牋 Ticket cache: KEYRING:persistent:0:0 牋牋 Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a> 牋牋 Valid starting牋牋� Expires牋牋牋牋牋牋� Service principal 牋牋 04/25/2017 18:48:26 04/26/2017 18:48:21 牋牋 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM">krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM</a> 牋牋 # What's my best path of recovery? --� *Bret Wortman* The Damascus Group </blockquote> </blockquote> </blockquote> </blockquote> </blockquote> </blockquote> </blockquote> </body> </html>