Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Chris Tobey wrote: Hi Rob, Thanks for taking the time to look at this. I have services in /etc/init.d/ named tomcat6 and pki-cad. I tried the following: - [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status tomcat6 is stopped [ OK ] [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start Starting tomcat6: [ OK ] [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status tomcat6 (pid 10853) is running... [ OK ] [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status pki-ca (pid 1793) is running...[ OK ] Unsecure Port = http://chimera.server.com:9180/ca/ee/ca Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca Secure EE Port = https://chimera.server.com:9444/ca/ee/ca Secure Admin Port = https://chimera.server.com:9445/ca/services EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca PKI Console Port= pkiconsole https://chimera.server.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: == Name: IPA URL: https://chimera.server.com:443 == Ok, you didn't specify a version so I took a stab in the dark on the service name. So I gather you're running 3.0.0? You'll need to dive into the catalina.log and debug logs in /var/log/pki-ca. This means that tomcat started but the webapp didn't. This is usually the audit subsystem kicking in but recently someone else had this issue and a simple ipactl restart fixed it for him. rob - After this I am able to create new hosts on my Foreman server! There are now a few questions: 1. I am not sure why the tomcat6 service was stopped, if it is required to be running. 2. I am not sure why a reboot of the server did not auto-start tomcat6. 3. When navigating the web GUI for FreeIPA and clicking on a host, I still see the popup message in the subject of this thread. I have not yet tried rebooting the FreeIPA (chimera) and Puppet/Foreman (puppetmaster) servers yet. When I have some downtime I will try that and see what happens in regards to questions 2 and 3. Thanks, -Chris Tobey -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: June-04-15 10:35 AM To: Chris Tobey; 'Martin Kosek'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Apache proxies to dogtag, so a Not Found means that dogtag either isn't running or its webapp wasn't loaded. I'd start by restarting pki-tomcatd@pki-tomcat.service and see if that helps. Otherwise you'll need to poke around in the debug long in /var/lib/pki-ca/something rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Rob, Thanks for taking the time to look at this. I have services in /etc/init.d/ named tomcat6 and pki-cad. I tried the following: - [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status tomcat6 is stopped [ OK ] [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start Starting tomcat6: [ OK ] [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status tomcat6 (pid 10853) is running... [ OK ] [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status pki-ca (pid 1793) is running...[ OK ] Unsecure Port = http://chimera.server.com:9180/ca/ee/ca Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca Secure EE Port = https://chimera.server.com:9444/ca/ee/ca Secure Admin Port = https://chimera.server.com:9445/ca/services EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca PKI Console Port= pkiconsole https://chimera.server.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: == Name: IPA URL: https://chimera.server.com:443 == - After this I am able to create new hosts on my Foreman server! There are now a few questions: 1. I am not sure why the tomcat6 service was stopped, if it is required to be running. 2. I am not sure why a reboot of the server did not auto-start tomcat6. 3. When navigating the web GUI for FreeIPA and clicking on a host, I still see the popup message in the subject of this thread. I have not yet tried rebooting the FreeIPA (chimera) and Puppet/Foreman (puppetmaster) servers yet. When I have some downtime I will try that and see what happens in regards to questions 2 and 3. Thanks, -Chris Tobey -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: June-04-15 10:35 AM To: Chris Tobey; 'Martin Kosek'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Apache proxies to dogtag, so a Not Found means that dogtag either isn't running or its webapp wasn't loaded. I'd start by restarting pki-tomcatd@pki-tomcat.service and see if that helps. Otherwise you'll need to poke around in the debug long in /var/lib/pki-ca/something rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Rob, Sorry, my original message had the information: FreeIPA server running on CentOS 6.6 server. (ipa-server-3.0.0-42.el6.centos.x86_64 and ipa-client-3.0.0-42.el6.centos.x86_64) Once again your advice is perfect. I did the ipactl restart and now everything in the web page appears to be working without error. I will let you know if I see anything else, but it looks like this is solved. Thank you for all your help. -Chris Tobey -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: June-04-15 3:20 PM To: Chris Tobey; 'Martin Kosek'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Chris Tobey wrote: Hi Rob, Thanks for taking the time to look at this. I have services in /etc/init.d/ named tomcat6 and pki-cad. I tried the following: - [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status tomcat6 is stopped [ OK ] [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start Starting tomcat6: [ OK ] [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status tomcat6 (pid 10853) is running... [ OK ] [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status pki-ca (pid 1793) is running...[ OK ] Unsecure Port = http://chimera.server.com:9180/ca/ee/ca Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca Secure EE Port = https://chimera.server.com:9444/ca/ee/ca Secure Admin Port = https://chimera.server.com:9445/ca/services EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca PKI Console Port= pkiconsole https://chimera.server.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: == Name: IPA URL: https://chimera.server.com:443 == Ok, you didn't specify a version so I took a stab in the dark on the service name. So I gather you're running 3.0.0? You'll need to dive into the catalina.log and debug logs in /var/log/pki-ca. This means that tomcat started but the webapp didn't. This is usually the audit subsystem kicking in but recently someone else had this issue and a simple ipactl restart fixed it for him. rob - After this I am able to create new hosts on my Foreman server! There are now a few questions: 1. I am not sure why the tomcat6 service was stopped, if it is required to be running. 2. I am not sure why a reboot of the server did not auto-start tomcat6. 3. When navigating the web GUI for FreeIPA and clicking on a host, I still see the popup message in the subject of this thread. I have not yet tried rebooting the FreeIPA (chimera) and Puppet/Foreman (puppetmaster) servers yet. When I have some downtime I will try that and see what happens in regards to questions 2 and 3. Thanks, -Chris Tobey -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: June-04-15 10:35 AM To: Chris Tobey; 'Martin Kosek'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Apache proxies to dogtag, so a Not Found means that dogtag either isn't running or its webapp wasn't loaded. I'd start by restarting pki-tomcatd@pki-tomcat.service and see if that helps. Otherwise you'll need to poke around in the debug long in /var/lib/pki-ca/something rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
On 06/02/2015 10:10 PM, Chris Tobey wrote: Hi everyone, This is my first time posting here - please be gentle. Ok :-) I currently have ~40 CentOS 6.6 servers authenticating against my FreeIPA server running on another CentOS 6.6 server. (ipa-server-3.0.0-42.el6.centos.x86_64 and ipa-client-3.0.0-42.el6.centos.x86_64) The server has been running stable for the last ~4 months without issue, slowly building up from five servers to the current forty. This server is paired with a puppet/foreman server to manage the servers themselves. I am having an issue with my FreeIPA server and I cannot figure out what is going wrong. As of right now all 40 servers can still authenticate without issue, so that is good. My issue is similar to what I saw here: https://www.redhat.com/archives/freeipa-users/2011-November/msg00125.html where I receive a pop-up error IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found). The issue described at the above link is fairly old, and I checked my .jar symlinks and they appear to all be ok. The pop-up appears when I go to Identity Hosts and click on a host. The host information appears to all be correct, and if I make changes the error appears again, but the changes seem to take effect (tested changing a host description). The failures prevent me from adding new hosts in Foreman. When I try to add a new host is says Unable to save - Failed to create testvm.server.com's realm entry: ERF12-5287 [ProxyAPI::ProxyException]: Unable to create realm entry ([RestClient::BadRequest]: 400 Bad Request) for proxy https://puppetmaster.server.com:8443/realm/SERVER.COM.; Does anyone have any ideas on what I can do to fix this? I can post any logs that I have, but I do not know which are relevant to this issue. Could this be the dreaded expiration of the FreeIPA CA subsystem certificates? I would suggest logging to FreeIPA CA servers and running # getcert list and giving us the output. https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Martin, Thank you for the response. Here is what I can see on my FreeIPA server (I replaced my server name with server.com): [Wed Jun 03 10:05:36:..//var/lib/pki-ca]$ ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [Wed Jun 03 10:05:47:..//var/lib/pki-ca]$ getcert list Number of certificates and requests being tracked: 8. Request ID '20150407214802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=CA Audit,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214803': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=OCSP Subsystem,O=SERVER.COM expires: 2017-03-27 21:47:13 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214804': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=CA Subsystem,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214805': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=IPA RA,O=SERVER.COM expires: 2017-03-27 21:48:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214806': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV',nickname='Serve r-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV',nickname='Serve r-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:48:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214856': status: MONITORING stuck: no key pair storage:
