Setup: Cluster of 3 FreeIPA Masters with one as the CA Renewal Master ipa version 4.8.4
Problem: One of our certs for one of our servers recently expired, but it was supposed to auto-renew. Looking into the issue I found that I couldn't access any certs via CLI or the webUI. When trying to do either, I get the following error: IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (403) After doing some research it seems the issue may be with the IPA RA, though I found a userCertificate in the LDAP that was issued the same day as the one being used by the ipa server (it had the userCertificate being used by the ipa server as well as another userCertificate, both have the same dates, but different certificates), changing the ra-agent.pem did not seem to solve any problems. Looking in /var/log/pki/pki-tomcat/ca/debug I found the following errors: WARNING: CertProcessor: No authenticator credentials required SEVERE: AgentCertAuthentication: No SSL Client Certs Found SEVERE: CAProcessor: authentication error: Invalid Credential. I'm a little lost and not sure what to do next, any help would be greatly appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
