[Freeipa-users] Re: Unable to communicate with CMS (403)

Tue, 14 Sep 2021 07:11:42 -0700 


On 14/09/2021 14:13, Rob Crittenden wrote:

lejeczek via FreeIPA-users wrote:

Hi guys.

I get:

-> $ ipa host-del c8kubernode1.private.lot
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (403)

-> $ ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)

I searched mailing list and what I found about certs being out or in
sync I checked, I verified but it's still possible I missed something
there.

You checked and verified what?

on renewing master:
-> $ getcert list | grep status # all are MONITORING
But I think I missed it first time.
md5s of:
userCertificate:: from

-> $ ldapsearch -D cn=directory\ manager -b 
uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no

and

-> $ cat /var/lib/ipa/ra-agent.pem | grep -v '\-\-' | 
_my._sed-joinLines.sh
are different which, if I get it right, means that those are 
different certificates, right?

And if yes then how to know which one is the right one?

thanks, L.



I also see this: https://access.redhat.com/solutions/3624671 - which I
thought was a bit dated issue thus I want to ask:
Should that be in ipa-server-4.9.6-4 ? because my
'/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks
"^/ca/rest/account/login...

It's unfortunate that the article says it applies to 4.X which is quite
a broad reach.

The matching expression was greatly simplified. I don't believe this is
related.

rob


many thanks, L
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to