Prior to running yum update on one of our IPA servers running RHEL8 version
4.9.6-6, ipa-healthcheck showed no errors. After running the update to
4.9.6-10, healthcheck threw "non-2xx response from CA REST API: 403" errors:
[root@ipa1 ~]# ipa-healthcheck --failures-only
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "0fcf1f94-16d3-4f33-aabc-446403a8190f",
"when": "20211222175722Z",
"duration": "0.715360",
"kw": {
"msg": "Request for certificate failed, Certificate operation cannot be
completed: Request failed with status 403: Non-2xx response from CA REST API:
403. (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "969b76e2-bda7-4d47-a76b-fa48b59e469f",
"when": "20211222175735Z",
"duration": "1.208329",
"kw": {
"key": "20210406003327",
"serial": 7,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "696f34d9-e965-4d23-8a60-192811cedd51",
"when": "20211222175735Z",
"duration": "1.479161",
"kw": {
"key": "20210406003320",
"serial": 5,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "bd716c75-de8b-4893-9e6e-f474dcf898a6",
"when": "20211222175735Z",
"duration": "1.747070",
"kw": {
"key": "20210406003321",
"serial": 2,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "59815cd0-e48c-47bf-965f-c089bcf0f2dd",
"when": "20211222175736Z",
"duration": "2.021750",
"kw": {
"key": "20210406003322",
"serial": 4,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "ea34c649-7823-4c35-b54d-7b3aaf8677c8",
"when": "20211222175736Z",
"duration": "2.291332",
"kw": {
"key": "20210406003323",
"serial": 1,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "8ed4da7b-dec9-4dc5-ad05-ac7064181481",
"when": "20211222175736Z",
"duration": "2.567577",
"kw": {
"key": "20210406003326",
"serial": 3,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "faf9b70b-333e-4e08-a211-bd887c346d13",
"when": "20211222175736Z",
"duration": "2.723022",
"kw": {
"key": "20211130180109",
"serial": 20,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "6f4097a7-c62a-4771-9019-90c3fa8d0e80",
"when": "20211222175737Z",
"duration": "2.985982",
"kw": {
"key": "20210406003328",
"serial": 8,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1e7bfdc0-6dbf-4d0c-a102-86b312c8181e",
"when": "20211222175737Z",
"duration": "3.136052",
"kw": {
"key": "20201110192416",
"serial": 10,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
}
]
Logging into web ui works, but when clicking through to the Authentication tab,
the following error pops:
IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (403)
About three weeks ago, we had replication issues with this particular server
but resolved them with Rob's help. See the thread here:
https://lists.fedorahosted.org/archives/list/[email protected]/message/NXOVGLHLZWU7GQJTPNLSWYYNLHZVF6UT/
Any help would be appreciated. Thanks,
Scott
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
