[Freeipa-users] Re: Unable to communicate with CMS (403)

Hi Sam, On pe, 17 joulu 2021, Sam Morris wrote: On Fri, 2021-12-17 at 06:59 +0200, Alexander Bokovoy wrote: On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: > > The CA has its own upgrade code which runs unconditionally and I think > > that's how both secret and requiredSecret got

[Freeipa-users] Re: Unable to communicate with CMS (403)

On Fri, 2021-12-17 at 06:59 +0200, Alexander Bokovoy wrote: > On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: > > > The CA has its own upgrade code which runs unconditionally and I think > > > that's how both secret and requiredSecret got added to server.xml. I > > > wasn't able to

[Freeipa-users] Re: Unable to communicate with CMS (403)

On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: The CA has its own upgrade code which runs unconditionally and I think that's how both secret and requiredSecret got added to server.xml. I wasn't able to duplicate the 403 though, it always just worked for me. Perhaps it has to go

[Freeipa-users] Re: Unable to communicate with CMS (403)

> The CA has its own upgrade code which runs unconditionally and I think > that's how both secret and requiredSecret got added to server.xml. I > wasn't able to duplicate the 403 though, it always just worked for me. > Perhaps it has to go through more than one upgrade cycle. I did my > testing on

[Freeipa-users] Re: Unable to communicate with CMS (403)

Hi, > I can confirm that I ran in this issue on CentOS Stream 8 and this solution > works. Same here. I spent a day searching for the cause. I was misled by this Red Hat article: https://access.redhat.com/solutions/4796941 which mentions the same error message, so I spent most of my day

[Freeipa-users] Re: Unable to communicate with CMS (403)

Hi Antonie, I've checked requiredSecret and secret values in the files you indicated. They are matching. My installations are fresh, I didn't upgrade from previous versions. I'm going to backup nssdb and reinitialize it, maybe it works. Regards, Antoine Gatineau via FreeIPA-users , 17 Eki 2021

[Freeipa-users] Re: Unable to communicate with CMS (403)

On Fri, 2021-09-17 at 12:35 +, pp via FreeIPA-users wrote: > Could you check if your "requiredSecret" value matches the "secret" in > "/etc/pki/pki-tomcat/server.xml"? > I had two lines where they were different and the value has to match the > secret in

[Freeipa-users] Re: Unable to communicate with CMS (403)

Dirk Silkenbäumer via FreeIPA-users wrote: >> I filed https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against >> pki-core. > > latest update with: > ipa-server.x86_64 4.9.6-6.module_el8.5.0 > pki-server.noarch 10.11.2-2.module_el8.5.0 > > has the same issue The BZ is still in NEW state. It

[Freeipa-users] Re: Unable to communicate with CMS (403)

> I filed https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against > pki-core. latest update with: ipa-server.x86_64 4.9.6-6.module_el8.5.0 pki-server.noarch 10.11.2-2.module_el8.5.0 has the same issue Best Dirk ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Unable to communicate with CMS (403)

Thank you. Just to clarify I currently have both "secret" and "requiredSecret" set. Originally "requiredSecret" did not match the ipa secret while "secret" did. I changed "requiredSecret" to also match to fix my issue. ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Unable to communicate with CMS (403)

pp via FreeIPA-users wrote: >> The strange thing is this upgrade code has been in IPA since 4.9.0 so >> its unclear why it decided to break now, and in the way it did. >> >> It should only change the attribute from requiredSecret to secret if >> "tomcat version" reports a version >= 9.0.31.0. >

[Freeipa-users] Re: Unable to communicate with CMS (403)

> The strange thing is this upgrade code has been in IPA since 4.9.0 so > its unclear why it decided to break now, and in the way it did. > > It should only change the attribute from requiredSecret to secret if > "tomcat version" reports a version >= 9.0.31.0. Yes, I noticed the python function

[Freeipa-users] Re: Unable to communicate with CMS (403)

lejeczek via FreeIPA-users wrote: > > > On 17/09/2021 13:35, pp via FreeIPA-users wrote: >> Could you check if your "requiredSecret" value matches the "secret" in >> "/etc/pki/pki-tomcat/server.xml"? >> I had two lines where they were different and the value has to match >> the secret in

[Freeipa-users] Re: Unable to communicate with CMS (403)

On Fri, Sep 17, 2021 at 9:35 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [...] > ps. with applied fix, thought origianal error(s) is gone I > still get: > -> $ ipa-healthcheck > Internal error testing KRA clone. KRA clone problem > detected Host:

[Freeipa-users] Re: Unable to communicate with CMS (403)

On 17/09/2021 13:35, pp via FreeIPA-users wrote: Could you check if your "requiredSecret" value matches the "secret" in "/etc/pki/pki-tomcat/server.xml"? I had two lines where they were different and the value has to match the secret in "/etc/httpd/conf.d/ipa-pki-proxy.conf". Once they all

[Freeipa-users] Re: Unable to communicate with CMS (403)

On 17/09/2021 16:28, Rob Crittenden via FreeIPA-users wrote: Dirk Silkenbäumer via FreeIPA-users wrote: According to a different thread "tomcat pre-9.0.31.0 uses 'requiredSecret' and afterward uses 'secret'." https://tomcat.apache.org/migration-9.html#Tomcat_9.0.x_noteable_changes I am

[Freeipa-users] Re: Unable to communicate with CMS (403)

Dirk Silkenbäumer via FreeIPA-users wrote: >> According to a different thread "tomcat pre-9.0.31.0 uses 'requiredSecret' >> and afterward uses 'secret'." > https://tomcat.apache.org/migration-9.html#Tomcat_9.0.x_noteable_changes > >> I am running my FreeIPA server on CentOS 8 Stream which uses

[Freeipa-users] Re: Unable to communicate with CMS (403)

> According to a different thread "tomcat pre-9.0.31.0 uses 'requiredSecret' > and afterward uses 'secret'." https://tomcat.apache.org/migration-9.html#Tomcat_9.0.x_noteable_changes > I am running my FreeIPA server on CentOS 8 Stream which uses tomcat 9.0.30. > My uninformed > guess is the last

[Freeipa-users] Re: Unable to communicate with CMS (403)

Could you check if your "requiredSecret" value matches the "secret" in "/etc/pki/pki-tomcat/server.xml"? I had two lines where they were different and the value has to match the secret in "/etc/httpd/conf.d/ipa-pki-proxy.conf". Once they all matched I restarted pki-tomcatd@pki-tomcat.service

[Freeipa-users] Re: Unable to communicate with CMS (403)

lejeczek via FreeIPA-users wrote: > > > On 14/09/2021 20:00, Rob Crittenden wrote: >> lejeczek via FreeIPA-users wrote: >>> >>> On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote: On 14/09/2021 14:13, Rob Crittenden wrote: > lejeczek via FreeIPA-users wrote: >> Hi guys.

[Freeipa-users] Re: Unable to communicate with CMS (403)

On 14/09/2021 20:00, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote: On 14/09/2021 14:13, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. I get: -> $ ipa host-del c8kubernode1.private.lot ipa: ERROR:

[Freeipa-users] Re: Unable to communicate with CMS (403)

lejeczek via FreeIPA-users wrote: > > > On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote: >> >> >> On 14/09/2021 14:13, Rob Crittenden wrote: >>> lejeczek via FreeIPA-users wrote: Hi guys. I get: -> $ ipa host-del c8kubernode1.private.lot ipa: ERROR:

[Freeipa-users] Re: Unable to communicate with CMS (403)

On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote: On 14/09/2021 14:13, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. I get: -> $ ipa host-del c8kubernode1.private.lot ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (403) ->

[Freeipa-users] Re: Unable to communicate with CMS (403)

On 14/09/2021 14:13, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. I get: -> $ ipa host-del c8kubernode1.private.lot ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (403) -> $ ipa cert-show 1 ipa: ERROR: Certificate operation cannot

[Freeipa-users] Re: Unable to communicate with CMS (403)

lejeczek via FreeIPA-users wrote: > Hi guys. > > I get: > > -> $ ipa host-del c8kubernode1.private.lot > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (403) > > -> $ ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Request failed

[Freeipa-users] Re: Unable to communicate with CMS

That was it. They opened up 8080 and its working as expected. Thank you! On Wed, Jun 7, 2017 at 12:17 PM, Rob Crittenden wrote: > John Bowman via FreeIPA-users wrote: > > I'm hoping this is a firewall issue but I figured I would check just in > > case I'm looking in the

[Freeipa-users] Re: Unable to communicate with CMS

John Bowman via FreeIPA-users wrote: > I'm hoping this is a firewall issue but I figured I would check just in > case I'm looking in the wrong direction. > > I setup a pair non-CA replicas today and as far as I could tell > everything seemed to be okay but I noticed that when searching via the >