On 04/28/2017 02:57 PM, Bret Wortman wrote:
Flo,
I did find that issue and made those corrections to our /etc/hosts file,
but the problem persists.
Thanks for the idea!
after the change did you restart pki?
Bret
On 04/27/2017 03:42 AM, Florence Blanc-Renaud wrote:
On 04/26/2017 04:33 PM, Bret Wortman wrote:
So I can see my certs using cert-find, but can't get details using
cert-show or add new ones using cert-request.
# ipa cert-find
:
------------------------------
Number of entries returned 385
------------------------------
# ipa cert-show 895
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
# ipa cert-show 1 (which does not exist)
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
# ipa cert-status 895
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
#
Is this an IPV6 thing? Because ipactl shows everything green and
certmonger is running.
Hi Bret,
the issue looks similar to https://pagure.io/freeipa/issue/6575 and
https://pagure.io/dogtagpki/issue/2570 which were IPv6 related. Note
that IPv6 must be enabled on the machine but IPA does not require an
IPv6 address to be configured (except for the loopback).
You can check the following:
- is PKI listening to port 8009 on IPv6 or IPv4 interface?
sudo netstat -tunpl | grep 8009
tcp6 0 0 127.0.0.1:8009 :::* LISTEN 10749/java
- /etc/pki/pki-tomcat/server.xml defines a redirection from port 8009
to 8443, and the "address" part is important:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="localhost" />
In the above example, it will be using localhost which can resolve
either to IPv4 or IPv6.
- /etc/hosts must define the loopback addresses with
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
HTH,
Flo.
Bret
On 04/26/2017 09:03 AM, Bret Wortman wrote:
Digging still deeper:
# ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
Looks like this is an HTTP error; so is it possible that my IPA thinks
it has a CA but there's no CMS available?
On 04/26/2017 08:41 AM, Bret Wortman wrote:
Using the firefox debugger, I get these errors when trying to pop up
the New Certificate dialog:
Empty string passed to getElementById(). (5)
jquery.js:4:1060
TypeError: u is undefined
app.js:1:362059
Empty string passed to getElementById(). (5)
jquery.js:4:1060
TypeError: t is undefined
app.js:1:217432
I'm definitely not a web kind of guy so I'm not sure if this is
helpful or not. This is on 4.4.0, API Version 2.213.
Bret
On 04/26/2017 08:35 AM, Bret Wortman wrote:
Good news. One of my servers _does_ have CA installed. So why does
"Action -> New Certificate" not do anything on this or any other
server?
Bret
On 04/25/2017 02:52 PM, Bret Wortman wrote:
I recently had to upgrade all my Fedora IPA servers to C7. It went
well, and we've been up and running nicely on 4.4.0 on C7 for the
past month or so.
Today, someone came and asked me to generate a new certificate for
their web server. All was good until I went to the IPA UI and tried
to perform Actions->New Certificate, which did nothing. I tried
each of our 3 servers in turn. All came back with no popup window
and no error, either.
I suspect the problem might be that we no longer have a CA server
due to the method I used to upgrade the servers. I likely missed a
"--setup-ca" in there somewhere, so my rolling update rolled over
the CA.
What's my best hope of recovery? I never ran this before, so I'm
not sure if this shows that I'm missing a CA or not:
# ipa ca-find
------------
1 CA matched
------------
Name: ipa
Description IPA CA
Authority ID: 3ce3346[...]
Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
----------------------------
Number of entries returned 1
----------------------------
# ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
O=DAMASCUSGRP.COM"
ipa: ERROR: Failed to authenticate to CA REST API
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@damascusgrp.com
Valid starting Expires Service principal
04/25/2017 18:48:26 04/26/2017 18:48:21
krbtgt/damascusgrp....@damascusgrp.com
#
What's my best path of recovery?
--
*Bret Wortman*
The Damascus Group
--
Petr Vobornik
Associate Manager, Engineering, Identity Management
Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
