KodaK wrote:
On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
KodaK wrote:
Hey everyone,
A couple of days ago I started getting the following message:
[jebalicki@slpidml01 ~]$ ipa cert-show 1
ipa: INFO: trying https://slpidml01.unix.xxx.__com/ipa/xml
<https://slpidml01.unix.xxx.com/ipa/xml>
ipa: INFO: Forwarding 'cert_show' to server
u'https://slpidml01.unix.xxx.__com/ipa/xml
<https://slpidml01.unix.xxx.com/ipa/xml>'
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
I get a similar error in the GUI when looking at hosts.
slpidml01 is my "master" -- the one I initially built. The other
replicas also replicated the CA.
After some digging (and prompting from Red Hat support) I've
found the
following:
[root@slpidml01 ~]# ldapsearch -ZZ -H
ldap://slpidml01.unix.xxx.com <http://slpidml01.unix.xxx.com>
<http://slpidml01.unix.xxx.com__> -D "cn=Directory Manager" -W -b
"dc=unix,dc=xxx,dc=com" -x
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate
issuer has
been marked as not trusted by the user.
But, interestingly, from another replica:
[jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H
ldap://slpidml01.unix.xxx.com <http://slpidml01.unix.xxx.com>
<http://slpidml01.unix.xxx.com__> -D "cn=Directory Manager" -W -b
"dc=unix,dc=xxx,dc=com" -x
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc=xxx,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
...
So, obviously some certificate got hosed up somewhere. I've been
digging but I haven't found it yet.
Anyone have any ideas?
I have a ticket open with RH support, but I think I somehow got
put with
someone with a completely different sleep schedule -- I get
replies at 3
in the morning. So, I'm asking here because I'm impatient. :)
Check certificate expiration. Run getcert list to see what the
status is.
rob
None are expired, but there are some coming up soon:
[root@slpidml01 ~]# getcert list | grep expires
expires: 2014-03-29 19:03:31 UTC
expires: 2014-03-29 19:04:04 UTC
expires: 2014-03-29 19:04:30 UTC
expires: 2016-02-09 06:26:34 UTC
expires: 2016-02-09 06:25:34 UTC
expires: 2016-02-09 06:25:34 UTC
expires: 2016-02-09 06:25:34 UTC
expires: 2016-02-09 06:25:34 UTC
Ok. CA requests are proxied through Apache so a Not Found means that the
CA isn't running. Check the trust on the audit cert:
# certutil -L -d /var/lib/pki-ca/alias
The trust for the audit signing cert should be u,u,Pu
If it doesn't have it, fix it with:
# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
-t u,u,Pu
Then restart the CA (or all of IPA if you wish).
For the LDAP searches you may want to try the commands again, preceding
them with LDAPTLS_CACERT=/etc/ipa/ca.crt
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
