KodaK wrote:
Hey everyone,

A couple of days ago I started getting the following message:

[jebalicki@slpidml01 ~]$ ipa cert-show 1
ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml
ipa: INFO: Forwarding 'cert_show' to server
u'https://slpidml01.unix.xxx.com/ipa/xml'
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

I get a similar error in the GUI when looking at hosts.

slpidml01 is my "master" -- the one I initially built.  The other
replicas also replicated the CA.

After some digging (and prompting from Red Hat support) I've found the
following:

[root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com
<http://slpidml01.unix.xxx.com> -D "cn=Directory Manager" -W -b
"dc=unix,dc=xxx,dc=com" -x
ldap_start_tls: Connect error (-11)
         additional info: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.

But, interestingly, from another replica:

[jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com
<http://slpidml01.unix.xxx.com> -D "cn=Directory Manager" -W -b
"dc=unix,dc=xxx,dc=com" -x
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc=xxx,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
...

So, obviously some certificate got hosed up somewhere.  I've been
digging but I haven't found it yet.

Anyone have any ideas?

I have a ticket open with RH support, but I think I somehow got put with
someone with a completely different sleep schedule -- I get replies at 3
in the morning.  So, I'm asking here because I'm impatient. :)

Check certificate expiration. Run getcert list to see what the status is.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to