Fixed line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version
4.9.6-10:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1"
secret="123456789abcdefghijklmnopqrstuvwxyz" requiredSecret="123456789abcdefghijklmnopqrstuvwxyz"/>
Line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 4.9.6-6:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4"
name="Connector1" secret="123456789abcdefghijklmnopqrstuvwxyz "/>
-Scott
From: Vinícius Ferrão <fer...@versatushpc.com.br>
Sent: Wednesday, December 22, 2021 11:15 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Dungan, Scott A. <sdun...@caltech.edu>
Subject: Re: [Freeipa-users] IPA Server Upgrade: CA REST API: 403 error
Sorry. Wrong link. This is the one:
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg12583.html
Sent from my iPhone
On 22 Dec 2021, at 16:14, Vinícius Ferrão
<fer...@versatushpc.com.br<mailto:fer...@versatushpc.com.br>> wrote:
Is this related?
https://pagure.io/freeipa/issue/9041
Sent from my iPhone
On 22 Dec 2021, at 15:35, Dungan, Scott A. via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Prior to running yum update on one of our IPA servers running RHEL8 version
4.9.6-6, ipa-healthcheck showed no errors. After running the update to
4.9.6-10, healthcheck threw “non-2xx response from CA REST API: 403” errors:
[root@ipa1 ~]# ipa-healthcheck --failures-only
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "0fcf1f94-16d3-4f33-aabc-446403a8190f",
"when": "20211222175722Z",
"duration": "0.715360",
"kw": {
"msg": "Request for certificate failed, Certificate operation cannot be
completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "969b76e2-bda7-4d47-a76b-fa48b59e469f",
"when": "20211222175735Z",
"duration": "1.208329",
"kw": {
"key": "20210406003327",
"serial": 7,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "696f34d9-e965-4d23-8a60-192811cedd51",
"when": "20211222175735Z",
"duration": "1.479161",
"kw": {
"key": "20210406003320",
"serial": 5,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "bd716c75-de8b-4893-9e6e-f474dcf898a6",
"when": "20211222175735Z",
"duration": "1.747070",
"kw": {
"key": "20210406003321",
"serial": 2,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "59815cd0-e48c-47bf-965f-c089bcf0f2dd",
"when": "20211222175736Z",
"duration": "2.021750",
"kw": {
"key": "20210406003322",
"serial": 4,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "ea34c649-7823-4c35-b54d-7b3aaf8677c8",
"when": "20211222175736Z",
"duration": "2.291332",
"kw": {
"key": "20210406003323",
"serial": 1,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "8ed4da7b-dec9-4dc5-ad05-ac7064181481",
"when": "20211222175736Z",
"duration": "2.567577",
"kw": {
"key": "20210406003326",
"serial": 3,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "faf9b70b-333e-4e08-a211-bd887c346d13",
"when": "20211222175736Z",
"duration": "2.723022",
"kw": {
"key": "20211130180109",
"serial": 20,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "6f4097a7-c62a-4771-9019-90c3fa8d0e80",
"when": "20211222175737Z",
"duration": "2.985982",
"kw": {
"key": "20210406003328",
"serial": 8,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1e7bfdc0-6dbf-4d0c-a102-86b312c8181e",
"when": "20211222175737Z",
"duration": "3.136052",
"kw": {
"key": "20201110192416",
"serial": 10,
"error": "Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key} failed:
{error}"
}
}
]
Logging into web ui works, but when clicking through to the Authentication tab,
the following error pops:
IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (403)
About three weeks ago, we had replication issues with this particular server
but resolved them with Rob’s help. See the thread here:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NXOVGLHLZWU7GQJTPNLSWYYNLHZVF6UT/
Any help would be appreciated. Thanks,
Scott
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure