The log slog continues but isn't turning up anything useful, or I'm looking in the wrong logs. Now getting twice-daily visits from users who need new SSL certs wondering when I'm going to be able to create them.

I'm happy to do the work to figure out what went wrong, I just don't grok these individual components at this level very well. When something goes wrong, it's not trivial to solve. Well, for me it isn't, anyway. ;-)


On 05/02/2017 10:50 AM, Bret Wortman wrote:
I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps out as looking like an error.

The cert-show failure is troubling, but my inability to get CSRs turned into certs is what's actually driving this.


On 04/26/2017 06:02 PM, Rob Crittenden wrote:
Bret Wortman wrote:
So I can see my certs using cert-find, but can't get details using
cert-show or add new ones using cert-request.

     # ipa cert-find
     Number of entries returned 385
     # ipa cert-show 895
     ipa: ERROR: Certificate operation cannot be completed: Unable to
     communicate with CMS (503)
     # ipa cert-show 1 (which does not exist)
     ipa: ERROR: Certificate operation cannot be completed: Unable to
     communicate with CMS (503)
     # ipa cert-status 895
     ipa: ERROR: Certificate operation cannot be completed: Unable to
     communicate with CMS (503)

Is this an IPV6 thing? Because ipactl shows everything green and
certmonger is running.

cert-find and cert-show use different APIs in dogtag. cert-find uses the
newer RESTful API and cert-show uses the older XML-based API (and is
authenticated). I'm guessing that is where the issue lies.

What I'd recommend doing is noting the time, restarting the CA, and then
plow through the debug log looking for failures. It could be that the CA
is only partially up (and I'd check your CA subsystem certs as well).



On 04/26/2017 09:03 AM, Bret Wortman wrote:
Digging still deeper:

# ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
     ipa: ERROR: Certificate operation cannot be completed: Unable to
     communicate with CMS (503)

Looks like this is an HTTP error; so is it possible that my IPA thinks
it has a CA but there's no CMS available?

On 04/26/2017 08:41 AM, Bret Wortman wrote:
Using the firefox debugger, I get these errors when trying to pop up
the New Certificate dialog:

     Empty string passed to getElementById(). (5)
     TypeError: u is undefined
     Empty string passed to getElementById(). (5)
     TypeError: t is undefined

I'm definitely not a web kind of guy so I'm not sure if this is
helpful or not. This is on 4.4.0, API Version 2.213.


On 04/26/2017 08:35 AM, Bret Wortman wrote:
Good news. One of my servers _does_ have CA installed. So why does
"Action -> New Certificate" not do anything on this or any other server?


On 04/25/2017 02:52 PM, Bret Wortman wrote:
I recently had to upgrade all my Fedora IPA servers to C7. It went
well, and we've been up and running nicely on 4.4.0 on C7 for the
past month or so.

Today, someone came and asked me to generate a new certificate for
their web server. All was good until I went to the IPA UI and tried
to perform Actions->New Certificate, which did nothing. I tried
each of our 3 servers in turn. All came back with no popup window
and no error, either.

I suspect the problem might be that we no longer have a CA server
due to the method I used to upgrade the servers. I likely missed a
"--setup-ca" in there somewhere, so my rolling update rolled over
the CA.

What's my best hope of recovery? I never ran this before, so I'm
not sure if this shows that I'm missing a CA or not:

     # ipa ca-find
     1 CA matched
       Name: ipa
       Description IPA CA
       Authority ID: 3ce3346[...]
       Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
       Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
     Number of entries returned 1
     # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
     ipa: ERROR: Failed to authenticate to CA REST API
     # klist
     Ticket cache: KEYRING:persistent:0:0
     Default principal:

     Valid starting      Expires              Service principal
     04/25/2017 18:48:26 04/26/2017 18:48:21

What's my best path of recovery?

*Bret Wortman*
The Damascus Group

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to