[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Thu, 11 Jul 2019 01:20:31 -0700 

Hi Florence,

On 7/10/19 4:50 PM, Florence Blanc-Renaud wrote:


Hi,
the issue seems rather to be between IPA framework and dogtag. Is the CA 
subsystem enabled?
$ pki-server subsystem-show ca
should display "Enabled: True"



Nope:

[root@ipa1 ~]# pki-server subsystem-show ca
  Subsystem ID: ca
  Instance ID: pki-tomcat
  Enabled: False

Freeipa's top level certificate was signed by an external CA.


The subsystem logs may show more information: /var/log/pki/pki-tomcat/ca/debug


As you might have imagined, this doesn't exist, either.


I would start by checking if the "subsystemCert cert-pki-ca" certificate is 
still valid and consistent in the NSSDB and in ldap:
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' | grep 
"Not After"
=> check the date



I've got 4 ipa servers with a local certificate database. One ipa server (ipa1)
gives me

[root@ipa1 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' | 
grep "Not After"
            Not After : Wed Jun 23 09:56:18 2021

The other 3 say

[root@ipa0 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' | 
grep "Not After"
            Not After : Thu Aug 01 08:06:59 2019

[root@ipa2 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' | 
grep "Not After"
            Not After : Thu Aug 01 08:06:59 2019

[root@ipabak ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' 
| grep "Not After"
            Not After : Thu Aug 01 08:06:59 2019

Obviously the certificate got renewed on ipa1, but not on the others.


$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -a
$ ldapsearch -D cn=directory\ manager -W -b o=ipaca uid=pkidbuser 
userCertificate
Both commands should return the same content for the certificate



The ldapsearch line returns 2 identical certificates on ipa{0,1,2,bak},
but ipa1 has a 3rd certificate.

Please don't tell me that my ldap instances are out of sync again.


Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to