[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Wed, 17 Jul 2019 01:01:42 -0700 

On 7/16/19 2:39 PM, Harald Dunkel via FreeIPA-users wrote:


ldapsearch -D cn=directory\ manager -W -b o=ipaca uid=pkidbuser userCertificate

does not show the new certificate yet. I thought that the post-save command
for this certificate is supposed to add it to ldap as well. Should I have used
the ipa-getcert command instead?



PS: Of course I tried to resync, but it didn't work:

[root@ipa2 ~]# ipa-csreplica-manage re-initialize --from ipa1.example.de
Directory Manager password:

Update in progress, 15 seconds elapsed
[ldap://ipa1.example.de:389] reports: Update failed! Status: [Error (-11)  - 
LDAP error: Connect error]


The slapd error logfile shows

[17/Jul/2019:09:43:31.711035365 +0200] - ERR - setup_ol_tls_conn - failed: 
unable to create new TLS context - -1
[17/Jul/2019:09:43:31.716241164 +0200] - ERR - slapi_ldap_init_ext - failed: 
unable to set SSL/TLS options
[17/Jul/2019:09:43:31.724077230 +0200] - ERR - setup_ol_tls_conn - failed: 
unable to create new TLS context - -1
[17/Jul/2019:09:43:31.732212109 +0200] - ERR - slapi_ldap_init_ext - failed: 
unable to set SSL/TLS options
[17/Jul/2019:09:43:31.740314529 +0200] - ERR - slapi_ldap_bind - Error: could 
not send startTLS request: error -11 (Connect error) errno 2 (No such file or 
directory)
[17/Jul/2019:09:43:31.753988317 +0200] - ERR - slapi_ldap_bind - Error: could 
not send startTLS request: error -11 (Connect error) errno 2 (No such file or 
directory)


Is there some way to roll back ipa1 to the old certificate, to
make replication work again? There must be some way out of this
mess.


Every helpful comment is highly appreciated
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org























					Reply via email to