Digging still deeper:

   # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
   ipa: ERROR: Certificate operation cannot be completed: Unable to
   communicate with CMS (503)

Looks like this is an HTTP error; so is it possible that my IPA thinks it has a CA but there's no CMS available?

On 04/26/2017 08:41 AM, Bret Wortman wrote:

Using the firefox debugger, I get these errors when trying to pop up the New Certificate dialog:

    Empty string passed to getElementById().             (5)
    TypeError: u is undefined app.js:1:362059
    Empty string passed to getElementById().             (5)
    TypeError: t is undefined app.js:1:217432

I'm definitely not a web kind of guy so I'm not sure if this is helpful or not. This is on 4.4.0, API Version 2.213.


On 04/26/2017 08:35 AM, Bret Wortman wrote:

Good news. One of my servers _does_ have CA installed. So why does "Action -> New Certificate" not do anything on this or any other server?


On 04/25/2017 02:52 PM, Bret Wortman wrote:

I recently had to upgrade all my Fedora IPA servers to C7. It went well, and we've been up and running nicely on 4.4.0 on C7 for the past month or so.

Today, someone came and asked me to generate a new certificate for their web server. All was good until I went to the IPA UI and tried to perform Actions->New Certificate, which did nothing. I tried each of our 3 servers in turn. All came back with no popup window and no error, either.

I suspect the problem might be that we no longer have a CA server due to the method I used to upgrade the servers. I likely missed a "--setup-ca" in there somewhere, so my rolling update rolled over the CA.

What's my best hope of recovery? I never ran this before, so I'm not sure if this shows that I'm missing a CA or not:

    # ipa ca-find
    1 CA matched
      Name: ipa
      Description IPA CA
      Authority ID: 3ce3346[...]
      Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
      Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
    Number of entries returned 1
    # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
    ipa: ERROR: Failed to authenticate to CA REST API
    # klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: ad...@damascusgrp.com

    Valid starting      Expires              Service principal
    04/25/2017 18:48:26 04/26/2017 18:48:21

What's my best path of recovery?

*Bret Wortman*
The Damascus Group

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to