I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this error in the httpd logs whenever the WebUI tries to see the certificates page:
[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] Connection refused) [Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: [jsonserver_session] dfinkelst...@example.com: cert_find(version=u'2.156'): CertificateOperationError The certificates appear as follows: [root@ipa httpd]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u auditSigningCert cert-pki-ca u,u,u EXAMPLE.COM IPA CA CTu,u,Cu ipaCert u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Upon reboot, httpd fails to start with the error: Failed to start Identity, Policy, Audit. But it can be started later with `ipactl restart`. Finally, the two last IPA services don't appear to start: [root@ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful I'd appreciate any guidance or suggestions. Thanks, Dan [cid:image001.jpg@01D1C1A8.C0D33A30]<http://www.high5games.com/> Daniel Alex Finkelstein| Senior Dev Ops Engineer dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com<http://www.high5games.com/> Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/> Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project