lejeczek via FreeIPA-users wrote: > > > On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote: >> >> >> On 14/09/2021 14:13, Rob Crittenden wrote: >>> lejeczek via FreeIPA-users wrote: >>>> Hi guys. >>>> >>>> I get: >>>> >>>> -> $ ipa host-del c8kubernode1.private.lot >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (403) >>>> >>>> -> $ ipa cert-show 1 >>>> ipa: ERROR: Certificate operation cannot be completed: Request failed >>>> with status 403: Non-2xx response from CA REST API: 403. (403) >>>> >>>> I searched mailing list and what I found about certs being out or in >>>> sync I checked, I verified but it's still possible I missed something >>>> there. >>> You checked and verified what? >> on renewing master: >> -> $ getcert list | grep status # all are MONITORING >> But I think I missed it first time. >> md5s of: >> userCertificate:: from >> -> $ ldapsearch -D cn=directory\ manager -b >> uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no >> and >> -> $ cat /var/lib/ipa/ra-agent.pem | grep -v '\-\-' | >> _my._sed-joinLines.sh >> are different which, if I get it right, means that those are different >> certificates, right? >> And if yes then how to know which one is the right one? >> >> thanks, L.
You mentioned you did this on the renewal server. Is this the same server that is throwing the 403? > But then when I do 'openssl x509 -noout -text -in' on what is in ldap > then that & '/var/lib/ipa/ra-agent.pem' then it seems to be the same one > certificate. > I'm about to get really confused... :) (..so md5s do not work on pem > files?) PEM files are just ASCII text. rob > >>> >>>> I also see this: https://access.redhat.com/solutions/3624671 - which I >>>> thought was a bit dated issue thus I want to ask: >>>> Should that be in ipa-server-4.9.6-4 ? because my >>>> '/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks >>>> "^/ca/rest/account/login... >>> It's unfortunate that the article says it applies to 4.X which is quite >>> a broad reach. >>> >>> The matching expression was greatly simplified. I don't believe this is >>> related. >>> >>> rob >>> >>>> many thanks, L >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> >>>> >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure