[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)

Tue, 25 Feb 2020 10:07:00 -0800 

On 2/25/20 6:25 PM, Chris Bacott via FreeIPA-users wrote:

Thank you for the reply. There is no errors with getting any certs at all, 
that's why this is baffling me. The 403 error is making me think this is either 
an apache or tomcat issue.


Strange issue, indeed. You can enable debug logs:
Create a config file:
$ cat /etc/ipa/server.conf
[global]
debug = True

Then restart apache with "systemctl restart httpd".


You may get more information in /var/log/httpd/error_log. The "ipa 
host-del" command should also trigger a log like the following in 
/var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt:
10.37.171.197 - - [25/Feb/2020:18:59:08 +0100] "POST 
/ca/rest/certs/search?size=2147483647 HTTP/1.1" 200 142


and in /var/log/pki/pki-tomcat/ca/debug, the relevant log will start after
SessionContextInterceptor: CertResource.searchCerts()
and show if authentication is tried.
In my case I can see "AuthMethodInterceptor: anonymous access allowed".

Let's see if IPA framework is at least initiating a connection to PKI.
flo



# ipa cert-show 1
   Issuing CA: ipa
   Certificate: <snip>
   Subject: CN=Certificate Authority,O=<snip>
   Issuer: CN=Certificate Authority,O=<snip>
   Not Before: Fri Feb 07 17:29:50 2020 UTC
   Not After: Tue Feb 07 17:29:50 2040 UTC
   Serial number: 1
   Serial number (hex): 0x1
   Revoked: False
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]






















					Reply via email to