KodaK wrote:

On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    KodaK wrote:

        Hey everyone,

        A couple of days ago I started getting the following message:

        [jebalicki@slpidml01 ~]$ ipa cert-show 1
        ipa: INFO: trying https://slpidml01.unix.xxx.__com/ipa/xml
        ipa: INFO: Forwarding 'cert_show' to server
        ipa: ERROR: Certificate operation cannot be completed: Unable to
        communicate with CMS (Not Found)

        I get a similar error in the GUI when looking at hosts.

        slpidml01 is my "master" -- the one I initially built.  The other
        replicas also replicated the CA.

        After some digging (and prompting from Red Hat support) I've
        found the

        [root@slpidml01 ~]# ldapsearch -ZZ -H
        ldap://slpidml01.unix.xxx.com <http://slpidml01.unix.xxx.com>
        <http://slpidml01.unix.xxx.com__> -D "cn=Directory Manager" -W -b

        "dc=unix,dc=xxx,dc=com" -x
        ldap_start_tls: Connect error (-11)
                  additional info: TLS error -8172:Peer's certificate
        issuer has
        been marked as not trusted by the user.

        But, interestingly, from another replica:

        [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H
        ldap://slpidml01.unix.xxx.com <http://slpidml01.unix.xxx.com>
        <http://slpidml01.unix.xxx.com__> -D "cn=Directory Manager" -W -b

        "dc=unix,dc=xxx,dc=com" -x
        Enter LDAP Password:
        # extended LDIF
        # LDAPv3
        # base <dc=unix,dc=xxx,dc=com> with scope subtree
        # filter: (objectclass=*)
        # requesting: ALL

        So, obviously some certificate got hosed up somewhere.  I've been
        digging but I haven't found it yet.

        Anyone have any ideas?

        I have a ticket open with RH support, but I think I somehow got
        put with
        someone with a completely different sleep schedule -- I get
        replies at 3
        in the morning.  So, I'm asking here because I'm impatient. :)

    Check certificate expiration. Run getcert list to see what the
    status is.


None are expired, but there are some coming up soon:

[root@slpidml01 ~]# getcert list | grep expires
         expires: 2014-03-29 19:03:31 UTC
         expires: 2014-03-29 19:04:04 UTC
         expires: 2014-03-29 19:04:30 UTC
         expires: 2016-02-09 06:26:34 UTC
         expires: 2016-02-09 06:25:34 UTC
         expires: 2016-02-09 06:25:34 UTC
         expires: 2016-02-09 06:25:34 UTC
         expires: 2016-02-09 06:25:34 UTC

Ok. CA requests are proxied through Apache so a Not Found means that the CA isn't running. Check the trust on the audit cert:

# certutil -L -d /var/lib/pki-ca/alias

The trust for the audit signing cert should be u,u,Pu

If it doesn't have it, fix it with:

# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu

Then restart the CA (or all of IPA if you wish).

For the LDAP searches you may want to try the commands again, preceding them with LDAPTLS_CACERT=/etc/ipa/ca.crt

Freeipa-users mailing list

Reply via email to