subject:"\[Freeipa\-users\] Certificate operation cannot be completed\: Unable to communicate with CMS $Not Found$"

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-27 Thread Sanju A

Hi Rob,

ipactl status is up and the flag is also in the correct state. However I 
have restarted pki-cad and the issue got fixed.

Thanks for your help in fixing the issue.

Regards
Sanju Abraham

From:   Rob Crittenden 
To: Sanju A 
Cc: freeipa-users@redhat.com
Date:   22-05-2015 19:05
Subject:Re: [Freeipa-users] Certificate operation cannot be 
completed: Unable to communicate with CMS (Not Found)

Sanju A wrote:
> Dear Rob,
>
> Please find the entire result.

Ok, the good news is that renewal already took place and it looks like 
everything is a-ok certificate-wise.

First, make sure the CA is up:

# ipactl status

If the CA is down, start it with service pki-cad start.

If the CA is up, the next thing to check are the trust flags:

# certutil -L -d /var/lib/pki-ca/alias

The auditSigningCert should be u,u,Pu

If it isn't, fix it with:

# certutil -M -t u,u,Pu -d /var/lib/pki-ca/alias -n 'auditSigningCert 
cert-pki-ca'

You'll need to restart the CA after changing the trust:

# service pki-cad restart

If the trust is ok and the CA was already up we'd need to see your CA 
logs to try to determine what is going on.

rob

=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-22 Thread Sina Owolabi

Hi Rob

And thanks for the new instructions. However, right out of the gate:

$ ipa-csreplica-manage set-renewal-master
Usage: ipa-csreplica-manage [options]

ipa-csreplica-manage: error: must provide a command [force-sync |
disconnect | list | del | connect | re-initialize]

Are there any RHEL6 specific instructions I can follow to the promised land?

On Wed, May 20, 2015 at 8:30 PM, Rob Crittenden  wrote:
> Sina Owolabi wrote:
>>
>> Hi Rob
>>
>> This is the only CA master. The one I cloned it from was
>> decommissioned,  reinstalled and then  made to be a replica of this
>> server.
>>
>> Looks like I'm really stuck.  How do I export the data out so I can
>> reinstall from scratch, if possible? There are a lot of rules and
>> configuration data I'd really like to keep.
>
>
> So in this case you have no master managing the renewal.
>
> Take a look at
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
> starting at the step "Reconfigure a CA as the new master"
>
> Since at least one certificate has expired you'll need to go back in time to
> get this working. Be sure to restart IPA after going back to ensure that the
> CA is up.
>
> You'll eventually want to do the CRL changes as well.
>
> rob
>
>>
>>
>> On Wed, May 20, 2015, 2:32 PM Rob Crittenden > > wrote:
>>
>> Sina Owolabi wrote:
>>  > Another key difference I noticed is that the problematic certs have
>>  > CA:IPA in them, while the working certs have CA:
>>  > dogtag-ipa-retrieve-agent-submit.
>>
>> Ok, the full output is really helpful.
>>
>> First an explanation of CA subsystem renewal.
>>
>> CA clones are just that, exact clones of each other, which means they
>> use the same subsystem certificates for OCSP, audit, etc. This also
>> means that at renewal time they need to be renewed on only one master
>> and then somehow shared with the ohter clones.
>>
>> The initially-installed CA is designated as the renewal master by
>> default. It configures certmonger to renew the CA subsytem
>> certificates
>> and put the new public cert into a shared area in IPA that will be
>> replicated to the other masters.
>>
>> The non-renewal masters are configured with a special CA,
>> dogtag-ipa-retrieve-agent-submit, that looks in this shared area for
>> an
>> updated certificate and when available, it installs it.
>>
>> So the issue is that it isn't seeing this updated certificate, hence
>> CA_WORKING.
>>
>> The CA_UNREACHABLE are due to the fact that the IPA RA agent
>> certificate
>> that IPA uses to talk to the CA expired on 04/29.
>>
>> So the steps you need to take are:
>>
>> 1. Check your other CA masters and see if they have been renewed
>> properly (getcert list will tell you, look for expiration in 2017).
>> 2. If they have, see if the data was pushed to LDAP
>>
>> $ kinit admin
>> $ ldapsearch -Y GSSAPI -b
>> cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
>>
>> See if there are certificate entries there. Check on multiple masters
>> to
>> see if there is a replication issue.
>>
>> If the certs are there you can try restarting certmonger to kickstart
>> the request.
>>
>> rob
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-22 Thread Rob Crittenden


Sanju A wrote:

Dear Rob,

Please find the entire result.


Ok, the good news is that renewal already took place and it looks like 
everything is a-ok certificate-wise.


First, make sure the CA is up:

# ipactl status

If the CA is down, start it with service pki-cad start.

If the CA is up, the next thing to check are the trust flags:

# certutil -L -d /var/lib/pki-ca/alias

The auditSigningCert should be u,u,Pu

If it isn't, fix it with:

# certutil -M -t u,u,Pu -d /var/lib/pki-ca/alias -n 'auditSigningCert 
cert-pki-ca'


You'll need to restart the CA after changing the trust:

# service pki-cad restart

If the trust is ok and the CA was already up we'd need to see your CA 
logs to try to determine what is going on.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-22 Thread Sanju A

e: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140430124352':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOMAINNAME.COM
subject: CN=mydomainname.com,O=MYDOMAINNAME.COM
expires: 2016-04-30 12:43:51 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140430124456':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
    issuer: CN=Certificate Authority,O=MYDOMAINNAME.COM
    subject: CN=ipa.mydomainname.com,O=MYDOMAINNAME.COM
expires: 2016-04-30 12:44:55 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
---------------------

Regards
Sanju Abraham




From:   Rob Crittenden 
To: Sanju A 
Cc: freeipa-users@redhat.com
Date:   22-05-2015 18:26
Subject:Re: [Freeipa-users] Certificate operation cannot be 
completed: Unable to communicate with CMS (Not Found)



Sanju A wrote:
> Dear Rob,
>
> The result is from ipa master server.

Ok, then this can't be the entire output. For a master with a CA there 
should be about 8 certs tracked

rob

>
>
> Regards
> Sanju Abraham
>
>
>
> From: Rob Crittenden 
> To: Sanju A 
> Cc: freeipa-users@redhat.com
> Date: 21-05-2015 19:03
> Subject: Re: [Freeipa-users] Certificate operation cannot be completed:
> Unable to communicate with CMS (Not Found)
> 
>
>
>
> Sanju A wrote:
>  > Dear Rob,
>  >
>  > Please find the result of getcert list.
>  >
>  > Request ID '20140430124456':
>  >  status: MONITORING
>  >  stuck: no
>  >  key pair storage:
>  > 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>  >  certificate:
>  > 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>  > Certificate DB'
>  >      CA: IPA
>  >  issuer: CN=Certificate Authority,O=EXAMPLE.COM
>  >  subject: CN=ipa.tcs-mobility.com,O=EXAMPLE.COM
>  >  expires: 2016-04-30 12:44:55 UTC
>  >  key usage:
>  > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>  >  eku: id-kp-serverAuth,id-kp-clientAuth
>  >  pre-save command:
>  >  post-save command:
>  >  track: yes
>  >  auto-renew: yes
>
> You need to run getcert list on the IPA master running the CA that can't
> be contacted, not the host you're trying to delete.
>
> rob
>
>  >
>  >
>  > Regards
>  > Sanju Abraham
>  >
>  >
>  >
>  >
>  > From: Rob Crittenden 
>  > To: Sanju A , freeipa-users@redhat.com
>  > Date: 20-05-2015 19:04
>  > Subject: Re: [Freeipa-users] Certificate operation cannot be 
completed:
>  > Unable to communicate with CMS (Not Found)
>  > 

>  >
>  >
>  >
>  > Sanju A wrote:
>  >  > Hi,
>  >  >
>  >  > I am getting the following error while removing a host.
>  >  >
>  >  > ---
>  >  > Certificate operation cannot be completed: Unable to communicate 
with
>  >  > CMS (Not Found)
>  >  > ---
>  >
>  > This usually means that the CA is not serving requestss. It may be up
>  > and running but that doesn't mean the webapp is working.
>  >
>  > This is often due to expired CA subsystem certificates. Run getcert 
list
>  > to check.
>  >
>  > rob
>  >
>  >
>  > =-=-=
>  > Notice: The information contained in this e-mail
>  > message and/or attachments to it may contain
>  > confidential or privileged information. If you are
>  > not the intended recipient, any dissemination, use,
>  > review, distribution, printing or copying of the
>  > information contained in this e-mail message
>  > and/or attachments to it are strictly prohibited. If
>  > you have received this communication in error,
>  > please notify us by reply e-mail or telephone and
>  > immediately and permanently delete the message
>  > and any attachments. Thank you
>  >
>
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-22 Thread Rob Crittenden


Sanju A wrote:

Dear Rob,

The result is from ipa master server.


Ok, then this can't be the entire output. For a master with a CA there 
should be about 8 certs tracked


rob




Regards
Sanju Abraham



From: Rob Crittenden 
To: Sanju A 
Cc: freeipa-users@redhat.com
Date: 21-05-2015 19:03
Subject: Re: [Freeipa-users] Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)




Sanju A wrote:
 > Dear Rob,
 >
 > Please find the result of getcert list.
 >
 > Request ID '20140430124456':
 >  status: MONITORING
 >  stuck: no
 >  key pair storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >  certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 > Certificate DB'
 >  CA: IPA
 >  issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >  subject: CN=ipa.tcs-mobility.com,O=EXAMPLE.COM
 >  expires: 2016-04-30 12:44:55 UTC
 >  key usage:
 > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 >  eku: id-kp-serverAuth,id-kp-clientAuth
 >  pre-save command:
 >  post-save command:
 >  track: yes
 >  auto-renew: yes

You need to run getcert list on the IPA master running the CA that can't
be contacted, not the host you're trying to delete.

rob

 >
 >
 > Regards
 > Sanju Abraham
 >
 >
 >
 >
 > From: Rob Crittenden 
 > To: Sanju A , freeipa-users@redhat.com
 > Date: 20-05-2015 19:04
 > Subject: Re: [Freeipa-users] Certificate operation cannot be completed:
 > Unable to communicate with CMS (Not Found)
 > 
 >
 >
 >
 > Sanju A wrote:
 >  > Hi,
 >  >
 >  > I am getting the following error while removing a host.
 >  >
 >  > ---
 >  > Certificate operation cannot be completed: Unable to communicate with
 >  > CMS (Not Found)
 >  > ---
 >
 > This usually means that the CA is not serving requestss. It may be up
 > and running but that doesn't mean the webapp is working.
 >
 > This is often due to expired CA subsystem certificates. Run getcert list
 > to check.
 >
 > rob
 >
 >
 > =-=-=
 > Notice: The information contained in this e-mail
 > message and/or attachments to it may contain
 > confidential or privileged information. If you are
 > not the intended recipient, any dissemination, use,
 > review, distribution, printing or copying of the
 > information contained in this e-mail message
 > and/or attachments to it are strictly prohibited. If
 > you have received this communication in error,
 > please notify us by reply e-mail or telephone and
 > immediately and permanently delete the message
 > and any attachments. Thank you
 >




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-22 Thread Sanju A

Dear Rob,

The result is from ipa master server.


Regards
Sanju Abraham



From:   Rob Crittenden 
To: Sanju A 
Cc: freeipa-users@redhat.com
Date:   21-05-2015 19:03
Subject:Re: [Freeipa-users] Certificate operation cannot be 
completed: Unable to communicate with CMS (Not Found)



Sanju A wrote:
> Dear Rob,
>
> Please find the result of getcert list.
>
> Request ID '20140430124456':
>  status: MONITORING
>  stuck: no
>  key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>  certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>  CA: IPA
>  issuer: CN=Certificate Authority,O=EXAMPLE.COM
>  subject: CN=ipa.tcs-mobility.com,O=EXAMPLE.COM
>  expires: 2016-04-30 12:44:55 UTC
>  key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>  eku: id-kp-serverAuth,id-kp-clientAuth
>  pre-save command:
>  post-save command:
>  track: yes
>  auto-renew: yes

You need to run getcert list on the IPA master running the CA that can't 
be contacted, not the host you're trying to delete.

rob

>
>
> Regards
> Sanju Abraham
>
>
>
>
> From: Rob Crittenden 
> To: Sanju A , freeipa-users@redhat.com
> Date: 20-05-2015 19:04
> Subject: Re: [Freeipa-users] Certificate operation cannot be completed:
> Unable to communicate with CMS (Not Found)
> 
>
>
>
> Sanju A wrote:
>  > Hi,
>  >
>  > I am getting the following error while removing a host.
>  >
>  > ---
>  > Certificate operation cannot be completed: Unable to communicate with
>  > CMS (Not Found)
>  > ---
>
> This usually means that the CA is not serving requestss. It may be up
> and running but that doesn't mean the webapp is working.
>
> This is often due to expired CA subsystem certificates. Run getcert list
> to check.
>
> rob
>
>
> =-=-=
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-21 Thread Rob Crittenden

Sanju A wrote:

Dear Rob,

Please find the result of getcert list.

Request ID '20140430124456':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=EXAMPLE.COM
 subject: CN=ipa.tcs-mobility.com,O=EXAMPLE.COM
 expires: 2016-04-30 12:44:55 UTC
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes

You need to run getcert list on the IPA master running the CA that can't 
be contacted, not the host you're trying to delete.

rob

Regards
Sanju Abraham

From: Rob Crittenden 
To: Sanju A , freeipa-users@redhat.com
Date: 20-05-2015 19:04
Subject: Re: [Freeipa-users] Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)

Sanju A wrote:
 > Hi,
 >
 > I am getting the following error while removing a host.
 >
 > ---
 > Certificate operation cannot be completed: Unable to communicate with
 > CMS (Not Found)
 > ---

This usually means that the CA is not serving requestss. It may be up
and running but that doesn't mean the webapp is working.

This is often due to expired CA subsystem certificates. Run getcert list
to check.

rob

=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Sanju A

Dear Rob,

Please find the result of getcert list.

Request ID '20140430124456':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.tcs-mobility.com,O=EXAMPLE.COM
expires: 2016-04-30 12:44:55 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

Regards
Sanju Abraham

From:   Rob Crittenden 
To: Sanju A , freeipa-users@redhat.com
Date:   20-05-2015 19:04
Subject:    Re: [Freeipa-users] Certificate operation cannot be 
completed: Unable to communicate with CMS (Not Found)

Sanju A wrote:
> Hi,
>
> I am getting the following error while removing a host.
>
> ---
> Certificate operation cannot be completed: Unable to communicate with
> CMS (Not Found)
> ---

This usually means that the CA is not serving requestss. It may be up 
and running but that doesn't mean the webapp is working.

This is often due to expired CA subsystem certificates. Run getcert list 
to check.

rob

=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Rob Crittenden

Sina Owolabi wrote:

Hi Rob

This is the only CA master. The one I cloned it from was
decommissioned, reinstalled and then made to be a replica of this server.

Looks like I'm really stuck. How do I export the data out so I can
reinstall from scratch, if possible? There are a lot of rules and
configuration data I'd really like to keep.

So in this case you have no master managing the renewal.

Take a look at
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
starting at the step "Reconfigure a CA as the new master"

Since at least one certificate has expired you'll need to go back in
time to get this working. Be sure to restart IPA after going back to
ensure that the CA is up.

You'll eventually want to do the CRL changes as well.

rob

On Wed, May 20, 2015, 2:32 PM Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Sina Owolabi wrote:
> Another key difference I noticed is that the problematic certs have
> CA:IPA in them, while the working certs have CA:
> dogtag-ipa-retrieve-agent-submit.

Ok, the full output is really helpful.

First an explanation of CA subsystem renewal.

CA clones are just that, exact clones of each other, which means they
use the same subsystem certificates for OCSP, audit, etc. This also
means that at renewal time they need to be renewed on only one master
and then somehow shared with the ohter clones.

The initially-installed CA is designated as the renewal master by
default. It configures certmonger to renew the CA subsytem certificates
and put the new public cert into a shared area in IPA that will be
replicated to the other masters.

The non-renewal masters are configured with a special CA,
dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
updated certificate and when available, it installs it.

So the issue is that it isn't seeing this updated certificate, hence
CA_WORKING.

The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
that IPA uses to talk to the CA expired on 04/29.

So the steps you need to take are:

1. Check your other CA masters and see if they have been renewed
properly (getcert list will tell you, look for expiration in 2017).
2. If they have, see if the data was pushed to LDAP

$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com

See if there are certificate entries there. Check on multiple masters to
see if there is a replication issue.

If the certs are there you can try restarting certmonger to kickstart
the request.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Sina Owolabi

Hi Rob

This is the only CA master. The one I cloned it from was decommissioned,
reinstalled and then  made to be a replica of this server.

Looks like I'm really stuck.  How do I export the data out so I can
reinstall from scratch, if possible? There are a lot of rules and
configuration data I'd really like to keep.

On Wed, May 20, 2015, 2:32 PM Rob Crittenden  wrote:

> Sina Owolabi wrote:
> > Another key difference I noticed is that the problematic certs have
> > CA:IPA in them, while the working certs have CA:
> > dogtag-ipa-retrieve-agent-submit.
>
> Ok, the full output is really helpful.
>
> First an explanation of CA subsystem renewal.
>
> CA clones are just that, exact clones of each other, which means they
> use the same subsystem certificates for OCSP, audit, etc. This also
> means that at renewal time they need to be renewed on only one master
> and then somehow shared with the ohter clones.
>
> The initially-installed CA is designated as the renewal master by
> default. It configures certmonger to renew the CA subsytem certificates
> and put the new public cert into a shared area in IPA that will be
> replicated to the other masters.
>
> The non-renewal masters are configured with a special CA,
> dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
> updated certificate and when available, it installs it.
>
> So the issue is that it isn't seeing this updated certificate, hence
> CA_WORKING.
>
> The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
> that IPA uses to talk to the CA expired on 04/29.
>
> So the steps you need to take are:
>
> 1. Check your other CA masters and see if they have been renewed
> properly (getcert list will tell you, look for expiration in 2017).
> 2. If they have, see if the data was pushed to LDAP
>
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
>
> See if there are certificate entries there. Check on multiple masters to
> see if there is a replication issue.
>
> If the certs are there you can try restarting certmonger to kickstart
> the request.
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Rob Crittenden


Sanju A wrote:

Hi,

I am getting the following error while removing a host.

---
Certificate operation cannot be completed: Unable to communicate with
CMS (Not Found)
---


This usually means that the CA is not serving requestss. It may be up 
and running but that doesn't mean the webapp is working.


This is often due to expired CA subsystem certificates. Run getcert list 
to check.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Rob Crittenden


Sina Owolabi wrote:

Another key difference I noticed is that the problematic certs have
CA:IPA in them, while the working certs have CA:
dogtag-ipa-retrieve-agent-submit.


Ok, the full output is really helpful.

First an explanation of CA subsystem renewal.

CA clones are just that, exact clones of each other, which means they 
use the same subsystem certificates for OCSP, audit, etc. This also 
means that at renewal time they need to be renewed on only one master 
and then somehow shared with the ohter clones.


The initially-installed CA is designated as the renewal master by 
default. It configures certmonger to renew the CA subsytem certificates 
and put the new public cert into a shared area in IPA that will be 
replicated to the other masters.


The non-renewal masters are configured with a special CA, 
dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an 
updated certificate and when available, it installs it.


So the issue is that it isn't seeing this updated certificate, hence 
CA_WORKING.


The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate 
that IPA uses to talk to the CA expired on 04/29.


So the steps you need to take are:

1. Check your other CA masters and see if they have been renewed 
properly (getcert list will tell you, look for expiration in 2017).

2. If they have, see if the data was pushed to LDAP

$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com

See if there are certificate entries there. Check on multiple masters to 
see if there is a replication issue.


If the certs are there you can try restarting certmonger to kickstart 
the request.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Sanju A

Hi,

I am getting the following error while removing a host.

---
Certificate operation cannot be completed: Unable to communicate with CMS 
(Not Found)
---




Apache log
---

[Wed May 20 12:10:26 2015] [error] ipa: ERROR: 
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with 
CMS (Not Found)


Regards
Sanju Abraham
=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-19 Thread Sina Owolabi

Another key difference I noticed is that the problematic certs have
CA:IPA in them, while the working certs have CA:
dogtag-ipa-retrieve-agent-submit.



 getcert list
Number of certificates and requests being tracked: 8.
Request ID '20130524104636':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104731':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=CA Audit,O=MYDOM.COM
expires: 2015-04-29 23:48:46 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104732':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=OCSP Subsystem,O=MYDOM.COM
expires: 2015-04-29 23:48:45 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104733':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=CA Subsystem,O=MYDOM.COM
expires: 2015-04-29 23:48:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104734':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2017-04-06 09:41:48 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104828':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:1

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-19 Thread Sina Owolabi

Hi Rob

Thanks!
I noticed that the problematic records have their expiration in the
future! And I also do not have pki-tomcatd, it's pki-cad.

>From getcert list, the troublesome IDs are:

Request ID '20130524104828':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:32 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104917':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden  wrote:
> Sina Owolabi wrote:
>>
>> Hi Rob
>>
>> Ive been to the URL but its a little difficult applying these commands
>> to RHEL6 systems.
>> For instance there is no /etc/pki-tomcat directory in RHEL6, and I
>> cannot find the ipa.crt
>>
>> Im sure as a noob I am overlooking some very obvious stuff, but could
>> you please guide me on what to do?
>
>
> Sorry, I think I pointed you at the wrong page. Check out
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Your CA subsystem are expired, or nearly expired. They are valid for two
> years. Based on the request ID in the snippet you posted at least some are
> valid for another few days.
>
> What I'd suggest is to send the machine back in time and restart the
> services. This should bring things up so that certmonger can do the renewal:
>
> # ipactl stop
> # /sbin/service ntpd stop
> # date 0501hhm where hhmm are the current hour and minute
> # ipactl start
>
> Hopefully ntpd isn't started by ipactl. If it is then it will undo your
> going back in time, and you'll need to start the services manually:
>
> # service dirsrv@YOURREALM start
> # service krb5kdc
> # service httpd start
> # service pki-tomcatd start
>
> Restart certmonger
>
> # service certmonger restart
>
> Wait a bit
>
> # getcert list
>
> Watch the status. They should go to MODIFIED
>
> Once done:
>
> # ipactl stop
>
> Return date to present, either by restarting ntpd or date or whatever method
> you'd like.
>
> I'm taking a completely wild guess on the date to go back to. The expiration
> date is listed in the getcert output. I'd go back a week before the oldest
> expiration.
>
> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-19 Thread Rob Crittenden


Sina Owolabi wrote:

Hi Rob

Ive been to the URL but its a little difficult applying these commands
to RHEL6 systems.
For instance there is no /etc/pki-tomcat directory in RHEL6, and I
cannot find the ipa.crt

Im sure as a noob I am overlooking some very obvious stuff, but could
you please guide me on what to do?


Sorry, I think I pointed you at the wrong page. Check out 
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal


Your CA subsystem are expired, or nearly expired. They are valid for two 
years. Based on the request ID in the snippet you posted at least some 
are valid for another few days.


What I'd suggest is to send the machine back in time and restart the 
services. This should bring things up so that certmonger can do the renewal:


# ipactl stop
# /sbin/service ntpd stop
# date 0501hhm where hhmm are the current hour and minute
# ipactl start

Hopefully ntpd isn't started by ipactl. If it is then it will undo your 
going back in time, and you'll need to start the services manually:


# service dirsrv@YOURREALM start
# service krb5kdc
# service httpd start
# service pki-tomcatd start

Restart certmonger

# service certmonger restart

Wait a bit

# getcert list

Watch the status. They should go to MODIFIED

Once done:

# ipactl stop

Return date to present, either by restarting ntpd or date or whatever 
method you'd like.


I'm taking a completely wild guess on the date to go back to. The 
expiration date is listed in the getcert output. I'd go back a week 
before the oldest expiration.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Rob Crittenden


Sina Owolabi wrote:

Hi Rob

There are  some logs in /var/log/pki-ca/catalina.out that appear to
indicate  a problem:


[SNIP]

These are mostly white noise from tomcat and can be ignored.




Also running "getcert list" tells me there are two expired certs:

Request ID '20130524104636':
 status: CA_UNREACHABLE
 ca-error: Server at https://dc.ourdom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
-12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.).
 stuck: no


Request ID '20130524104828':
 status: CA_UNREACHABLE
 ca-error: Server at https://dc.ourdom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
-12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.).
 stuck: no

I'd be grateful to know what to do.


Your CA subsystem certificates are expired so while the process is up 
the CA won't serve requests. See 
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Sina Owolabi

Hi Rob

There are some logs in /var/log/pki-ca/catalina.out that appear to
indicate a problem:
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed
and skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.

SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very likely to create a
memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-3] but has failed to
stop it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-4] but has failed
to stop it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-5] but has failed to stop it. This
is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-6] but has failed to stop it.
This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-7] but has failed to stop it.
This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-8] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/selftests.log.flush-9] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/selftests.log.rollover-10] but has failed to
stop it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-5 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-6 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-8 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

May 24, 2013 11:48:10 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

SEVERE: A web application created a Thr

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Rob Crittenden


Sina Owolabi wrote:

Yes CA is running,  and it's on the same machine.

[root@dc ~]# ipa-replica-prepare dc01.ourdom.com
 --ip-address 192.168.2.40

Directory Manager (existing master) password:


Preparing replica for dc01.ourdom.com  from
dc.ourdom.com 

Creating SSL certificate for the Directory Server

Certificate operation cannot be completed: Unable to communicate with
CMS (Not Found)

[root@dc ~]# ipactl status

Directory Service: RUNNING

KDC Service: RUNNING

KPASSWD Service: RUNNING

DNS Service: RUNNING

MEMCACHE Service: RUNNING

HTTP Service: RUNNING

CA Service: RUNNING

[root@dc ~]#


This suggests that while the process is running the CA isn't actually 
operational. You'll need to poke through the logs in /var/log/pki* to 
see if there are any errors.


I'd also see if the certificates are expired by running `getcert list` 
as root.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Sina Owolabi

Yes CA is running,  and it's on the same machine.

[root@dc ~]# ipa-replica-prepare dc01.ourdom.com --ip-address 192.168.2.40

Directory Manager (existing master) password:


Preparing replica for dc01.ourdom.com from dc.ourdom.com

Creating SSL certificate for the Directory Server

Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found)

[root@dc ~]# ipactl status

Directory Service: RUNNING

KDC Service: RUNNING

KPASSWD Service: RUNNING

DNS Service: RUNNING

MEMCACHE Service: RUNNING

HTTP Service: RUNNING

CA Service: RUNNING

[root@dc ~]#


On Mon, May 18, 2015, 10:19 AM Martin Kosek  wrote:

> On 05/16/2015 12:18 PM, Sina Owolabi wrote:
> > Hi Group,
> >
> > I'm attempting again to rebuild and reinstall a troublesome replica. I
> > have two freshly upgraded RHEL6.6 IdM servers.
> >
> > Problem is when I try to run createreplica I have this output:
> >
> >  ipa-replica-prepare services01.ours.com --ip-address 192.168.2.40
> > Directory Manager (existing master) password:
> >
> > Preparing replica for services01.ours.com from services.ours.com
> > Creating SSL certificate for the Directory Server
> > Certificate operation cannot be completed: Unable to communicate with
> > CMS (Not Found)
>
> It looks like CA is not reachable. Is CA on the machine where you run
> ipa-replica-manage? Or other machine?
>
> Is the CA running? (ipactl status)
>
> >
> > I have check the different threads where I find this same error but
> > all symlinks are correctly defined.
> >
> > Please can someone kindly guide a noob in the right path?
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Martin Kosek

On 05/16/2015 12:18 PM, Sina Owolabi wrote:
> Hi Group,
> 
> I'm attempting again to rebuild and reinstall a troublesome replica. I
> have two freshly upgraded RHEL6.6 IdM servers.
> 
> Problem is when I try to run createreplica I have this output:
> 
>  ipa-replica-prepare services01.ours.com --ip-address 192.168.2.40
> Directory Manager (existing master) password:
> 
> Preparing replica for services01.ours.com from services.ours.com
> Creating SSL certificate for the Directory Server
> Certificate operation cannot be completed: Unable to communicate with
> CMS (Not Found)

It looks like CA is not reachable. Is CA on the machine where you run
ipa-replica-manage? Or other machine?

Is the CA running? (ipactl status)

> 
> I have check the different threads where I find this same error but
> all symlinks are correctly defined.
> 
> Please can someone kindly guide a noob in the right path?
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-16 Thread Sina Owolabi

Hi Group,

I'm attempting again to rebuild and reinstall a troublesome replica. I
have two freshly upgraded RHEL6.6 IdM servers.

Problem is when I try to run createreplica I have this output:

 ipa-replica-prepare services01.ours.com --ip-address 192.168.2.40
Directory Manager (existing master) password:

Preparing replica for services01.ours.com from services.ours.com
Creating SSL certificate for the Directory Server
Certificate operation cannot be completed: Unable to communicate with
CMS (Not Found)

I have check the different threads where I find this same error but
all symlinks are correctly defined.

Please can someone kindly guide a noob in the right path?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

22 matches

Site Navigation

Mail list logo

Footer information