On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden <[email protected]>wrote:
> KodaK wrote: > >> Hey everyone, >> >> A couple of days ago I started getting the following message: >> >> [jebalicki@slpidml01 ~]$ ipa cert-show 1 >> ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml >> ipa: INFO: Forwarding 'cert_show' to server >> u'https://slpidml01.unix.xxx.com/ipa/xml' >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> I get a similar error in the GUI when looking at hosts. >> >> slpidml01 is my "master" -- the one I initially built. The other >> replicas also replicated the CA. >> >> After some digging (and prompting from Red Hat support) I've found the >> following: >> >> [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com >> <http://slpidml01.unix.xxx.com> -D "cn=Directory Manager" -W -b >> >> "dc=unix,dc=xxx,dc=com" -x >> ldap_start_tls: Connect error (-11) >> additional info: TLS error -8172:Peer's certificate issuer has >> been marked as not trusted by the user. >> >> But, interestingly, from another replica: >> >> [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com >> <http://slpidml01.unix.xxx.com> -D "cn=Directory Manager" -W -b >> >> "dc=unix,dc=xxx,dc=com" -x >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=unix,dc=xxx,dc=com> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> ... >> >> So, obviously some certificate got hosed up somewhere. I've been >> digging but I haven't found it yet. >> >> Anyone have any ideas? >> >> I have a ticket open with RH support, but I think I somehow got put with >> someone with a completely different sleep schedule -- I get replies at 3 >> in the morning. So, I'm asking here because I'm impatient. :) >> > > Check certificate expiration. Run getcert list to see what the status is. > > rob > > None are expired, but there are some coming up soon: [root@slpidml01 ~]# getcert list | grep expires expires: 2014-03-29 19:03:31 UTC expires: 2014-03-29 19:04:04 UTC expires: 2014-03-29 19:04:30 UTC expires: 2016-02-09 06:26:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC Everything is set to auto-renew: [root@slpidml01 ~]# getcert list | grep auto-renew auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
