lejeczek via FreeIPA-users wrote: > > > On 14/09/2021 20:00, Rob Crittenden wrote: >> lejeczek via FreeIPA-users wrote: >>> >>> On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote: >>>> >>>> On 14/09/2021 14:13, Rob Crittenden wrote: >>>>> lejeczek via FreeIPA-users wrote: >>>>>> Hi guys. >>>>>> >>>>>> I get: >>>>>> >>>>>> -> $ ipa host-del c8kubernode1.private.lot >>>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>>>> communicate with CMS (403) >>>>>> >>>>>> -> $ ipa cert-show 1 >>>>>> ipa: ERROR: Certificate operation cannot be completed: Request failed >>>>>> with status 403: Non-2xx response from CA REST API: 403. (403) >>>>>> >>>>>> I searched mailing list and what I found about certs being out or in >>>>>> sync I checked, I verified but it's still possible I missed something >>>>>> there. >>>>> You checked and verified what? >>>> on renewing master: >>>> -> $ getcert list | grep status # all are MONITORING >>>> But I think I missed it first time. >>>> md5s of: >>>> userCertificate:: from >>>> -> $ ldapsearch -D cn=directory\ manager -b >>>> uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no >>>> and >>>> -> $ cat c | grep -v '\-\-' | >>>> _my._sed-joinLines.sh >>>> are different which, if I get it right, means that those are different >>>> certificates, right? >>>> And if yes then how to know which one is the right one? >>>> >>>> thanks, L. >> You mentioned you did this on the renewal server. Is this the same >> server that is throwing the 403? > Yes, it's a primitive two-master setup, both masters fail with 'Unable > to communicate with CMS (403)' > So I presume ultimate is what I get from: > putting what I get from > $ ldapsearch -D cn=directory\ manager -b uid=ipara,ou=people,o=ipaca > -LLL -o ldif-wrap=no > into a file and fixing it with begin/end in order to have it a .pem, > then I do 'openssl' on such .pem file. > then what I get from > $ openssl x509 -noout -text -in openssl x509 -noout -text -in > Then I 'diff' two 'openssl' outputs - if this how to ultimately tell > then - it's the same cert, mining 'diff' sees no difference. > All this I have done on only the renewal master, as of yet.
Try installing and running ipa-healthcheck. It will check for this type of mismatch. rob > > many thanks, L. >>> But then when I do 'openssl x509 -noout -text -in' on what is in ldap >>> then that & '/var/lib/ipa/ra-agent.pem' then it seems to be the same one >>> certificate. >>> I'm about to get really confused... :) (..so md5s do not work on pem >>> files?) >> PEM files are just ASCII text. >> >> rob >> >>>>>> I also see this: https://access.redhat.com/solutions/3624671 - >>>>>> which I >>>>>> thought was a bit dated issue thus I want to ask: >>>>>> Should that be in ipa-server-4.9.6-4 ? because my >>>>>> '/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks >>>>>> "^/ca/rest/account/login... >>>>> It's unfortunate that the article says it applies to 4.X which is >>>>> quite >>>>> a broad reach. >>>>> >>>>> The matching expression was greatly simplified. I don't believe >>>>> this is >>>>> related. >>>>> >>>>> rob >>>>> >>>>>> many thanks, L >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- [email protected] >>>>>> To unsubscribe send an email to >>>>>> [email protected] >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>>> >>>>>> >>>>>> >>>>>> Do not reply to spam on the list, report it: >>>>>> https://pagure.io/fedora-infrastructure >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> >>>> >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >>> >>> Do not reply to spam on the list, report it: >>> https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
