I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this 
error in the httpd logs whenever the WebUI tries to see the certificates page:

[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: 
ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] 
Connection refused)
[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: 
[jsonserver_session] dfinkelst...@example.com: cert_find(version=u'2.156'): 

The certificates appear as follows:

[root@ipa httpd]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes

Server-Cert                                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,u
EXAMPLE.COM IPA CA                                             CTu,u,Cu
ipaCert                                                      u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

Upon reboot, httpd fails to start with the error: Failed to start Identity, 
Policy, Audit. But it can be started later with `ipactl restart`. Finally, the 
two last IPA services don't appear to start:

[root@ipa]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful

I'd appreciate any guidance or suggestions.


Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Follow us on: Facebook<http://www.facebook.com/high5games>, 

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to