Thanks for the link, Ferrão! Using the information from that thread, I inspected the contents of /etc/pki/pki-tomcat/server.xml and noticed that on lines 129 and 171, there were two values listed: one for sectet= and one for requiredSecret=. In addition, the two secrets were different. Only the “secret=” value matched what was located in the /etc/httpd/conf.d/ipa-pki-proxy.conf for the ProxyPassMatch statements that Rob referred to in the thread you linked. I went ahead and changed the value of “requiredSecret=” to be the same in server.xml, restarted IPA services, and the error was resolved!
Questions unanswered: where did this other (incorrect) value for requiredSecret come from? Some sort of failure in the upgrade script? Having both secret and requiredSecret specified (both with the same correct value) is now required in /etc/pki/pki-tomcat/server.xml? Looking at the other not-yet-upgraded IPA servers, that line only lists sectet= Fixed line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 4.9.6-10: <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="123456789abcdefghijklmnopqrstuvwxyz" requiredSecret="123456789abcdefghijklmnopqrstuvwxyz"/> Line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 4.9.6-6: <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="123456789abcdefghijklmnopqrstuvwxyz "/> -Scott From: Vinícius Ferrão <[email protected]> Sent: Wednesday, December 22, 2021 11:15 AM To: FreeIPA users list <[email protected]> Cc: Dungan, Scott A. <[email protected]> Subject: Re: [Freeipa-users] IPA Server Upgrade: CA REST API: 403 error Sorry. Wrong link. This is the one: https://www.mail-archive.com/[email protected]/msg12583.html Sent from my iPhone On 22 Dec 2021, at 16:14, Vinícius Ferrão <[email protected]<mailto:[email protected]>> wrote: Is this related? https://pagure.io/freeipa/issue/9041 Sent from my iPhone On 22 Dec 2021, at 15:35, Dungan, Scott A. via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: Prior to running yum update on one of our IPA servers running RHEL8 version 4.9.6-6, ipa-healthcheck showed no errors. After running the update to 4.9.6-10, healthcheck threw “non-2xx response from CA REST API: 403” errors: [root@ipa1 ~]# ipa-healthcheck --failures-only ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) [ { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "0fcf1f94-16d3-4f33-aabc-446403a8190f", "when": "20211222175722Z", "duration": "0.715360", "kw": { "msg": "Request for certificate failed, Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "969b76e2-bda7-4d47-a76b-fa48b59e469f", "when": "20211222175735Z", "duration": "1.208329", "kw": { "key": "20210406003327", "serial": 7, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "696f34d9-e965-4d23-8a60-192811cedd51", "when": "20211222175735Z", "duration": "1.479161", "kw": { "key": "20210406003320", "serial": 5, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "bd716c75-de8b-4893-9e6e-f474dcf898a6", "when": "20211222175735Z", "duration": "1.747070", "kw": { "key": "20210406003321", "serial": 2, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "59815cd0-e48c-47bf-965f-c089bcf0f2dd", "when": "20211222175736Z", "duration": "2.021750", "kw": { "key": "20210406003322", "serial": 4, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "ea34c649-7823-4c35-b54d-7b3aaf8677c8", "when": "20211222175736Z", "duration": "2.291332", "kw": { "key": "20210406003323", "serial": 1, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "8ed4da7b-dec9-4dc5-ad05-ac7064181481", "when": "20211222175736Z", "duration": "2.567577", "kw": { "key": "20210406003326", "serial": 3, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "faf9b70b-333e-4e08-a211-bd887c346d13", "when": "20211222175736Z", "duration": "2.723022", "kw": { "key": "20211130180109", "serial": 20, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "6f4097a7-c62a-4771-9019-90c3fa8d0e80", "when": "20211222175737Z", "duration": "2.985982", "kw": { "key": "20210406003328", "serial": 8, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "1e7bfdc0-6dbf-4d0c-a102-86b312c8181e", "when": "20211222175737Z", "duration": "3.136052", "kw": { "key": "20201110192416", "serial": 10, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } } ] Logging into web ui works, but when clicking through to the Authentication tab, the following error pops: IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (403) About three weeks ago, we had replication issues with this particular server but resolved them with Rob’s help. See the thread here: https://lists.fedorahosted.org/archives/list/[email protected]/message/NXOVGLHLZWU7GQJTPNLSWYYNLHZVF6UT/ Any help would be appreciated. Thanks, Scott _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
