Hi Martin, Thank you for the response. Here is what I can see on my FreeIPA server (I replaced my server name with server.com):
[Wed Jun 03 10:05:36:..//var/lib/pki-ca]$ ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [Wed Jun 03 10:05:47:..//var/lib/pki-ca]$ getcert list Number of certificates and requests being tracked: 8. Request ID '20150407214802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=CA Audit,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214803': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=OCSP Subsystem,O=SERVER.COM expires: 2017-03-27 21:47:13 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214804': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=CA Subsystem,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214805': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=IPA RA,O=SERVER.COM expires: 2017-03-27 21:48:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214806': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV',nickname='Serve r-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV',nickname='Serve r-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:48:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token ='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token ='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:48:55 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407215219': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:52:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Here is what I can see on my Puppet Master (single server that hosts foreman, puppet, and everything related to them). [Wed Jun 03 10:08:07:~]$ getcert list Number of certificates and requests being tracked: 1. Request ID '20150407223624': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - puppetmaster.server.com',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - puppetmaster.server.com',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=puppetmaster.server.com,O=SERVER.COM expires: 2017-04-07 22:36:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes >From here the status shows as MONITORING, which is what I think it is supposed to show, and they do not expire until 2017. Thanks, -Chris Tobey -----Original Message----- From: Martin Kosek [mailto:mko...@redhat.com] Sent: June-03-15 3:44 AM To: Chris Tobey; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) On 06/02/2015 10:10 PM, Chris Tobey wrote: > Hi everyone, > > > > This is my first time posting here - please be gentle. Ok :-) > I currently have ~40 CentOS 6.6 servers authenticating against my > FreeIPA server running on another CentOS 6.6 server. > (ipa-server-3.0.0-42.el6.centos.x86_64 and > ipa-client-3.0.0-42.el6.centos.x86_64) The server has been running > stable for the last ~4 months without issue, slowly building up from > five servers to the current forty. This server is paired with a > puppet/foreman server to manage the servers themselves. > > > > I am having an issue with my FreeIPA server and I cannot figure out > what is going wrong. As of right now all 40 servers can still > authenticate without issue, so that is good. > > > > My issue is similar to what I saw here: > https://www.redhat.com/archives/freeipa-users/2011-November/msg00125.h > tml where I receive a pop-up error "IPA Error 4301: Certificate > operation cannot be completed: Unable to communicate with CMS (Not > Found)". The issue described at the above link is fairly old, and I > checked my .jar symlinks and they appear to all be ok. The pop-up > appears when I go to Identity > Hosts > and click on a host. The host > information appears to all be correct, and if I make changes the error > appears again, but the changes seem to take effect (tested changing a > host description). > > > > The failures prevent me from adding new hosts in Foreman. When I try > to add a new host is says "Unable to save - Failed to create > testvm.server.com's realm entry: ERF12-5287 > [ProxyAPI::ProxyException]: Unable to create realm entry > ([RestClient::BadRequest]: 400 Bad Request) for proxy https://puppetmaster.server.com:8443/realm/SERVER.COM." > > > > Does anyone have any ideas on what I can do to fix this? I can post > any logs that I have, but I do not know which are relevant to this issue. Could this be the dreaded expiration of the FreeIPA CA subsystem certificates? I would suggest logging to FreeIPA CA servers and running # getcert list and giving us the output. https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_ce rtificates Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project