On 12/12/2016 10:32 PM, jay wrote:
Hello,
I have been testing freeipa on CentOS 7 for a while now with a
relatively simple setup, just a single server and 12 or so Linux clients
in AWS. I went to rebuild the environment today and part of my Ansible
playbook failed with this error
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
This is the command that failed
/usr/bin/ipa cert-show 1 --out=/root/cacert.crt
I noticed the version I was using on Friday was
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64. But now I'm getting
ipa-server-4.4.0-14.el7.centos.x86_64 installed, so the repo was updated
over the weekend.
Is there a known issue running cert-show with this version? I can't
find anything in the debug logs that point to something wrong. Running
'ipa cert-find' and 'getcert list -d /etc/httpd/alias -n ipaCert' work
just fine.
Can someone offer some advice or pointer to what might be going on? I'm
invoking the install with these options and it has worked flawlessly
before this new version
2016-12-12T21:05:21Z DEBUG ipa-server-install was invoked with arguments
[] and options: {'no_dns_
sshfp': None, 'ignore_topology_disconnect': None, 'verbose': False,
'ip_addresses': [CheckedIPAddr
ess('172.31.0.235')], 'domainlevel': None, 'mkhomedir': None,
'http_cert_files': None, 'no_ntp': N
one, 'reverse_zones': None, 'no_forwarders': None, 'external_ca_type':
None, 'ssh_trust_dns': True
, 'domain_name': 'ipa.us-west-2.compute.internal', 'idmax': None,
'http_cert_name': None, 'dirsrv_
cert_files': None, 'no_dnssec_validation': None, 'ca_signing_algorithm':
None, 'no_reverse': None,
'subject': None, 'unattended': True, 'auto_reverse': None,
'auto_forwarders': None, 'no_host_dns'
: None, 'no_sshd': None, 'no_ui_redirect': None, 'ignore_last_of_role':
None, 'realm_name': 'IPA.U
S-WEST-2.COMPUTE.INTERNAL', 'forwarders':
[CheckedIPAddress('172.31.0.2')], 'idstart': 5000, 'exte
rnal_ca': None, 'no_ssh': None, 'external_cert_files': None,
'no_hbac_allow': None, 'forward_polic
y': None, 'dirsrv_cert_name': None, 'ca_cert_files': None, 'zonemgr':
None, 'quiet': False, 'setup
_dns': True, 'host_name': 'ip-172-31-0-235.us-west-2.compute.internal',
'dirsrv_config_file': None
, 'log_file': None, 'allow_zone_overlap': None, 'uninstall': False}
2016-12-12T21:05:21Z DEBUG IPA version 4.4.0-14.el7.centos
Thank you
Jay
Hi,
the ipa cert-show command is communicating with Dogtag, using port 443.
Can you check if Dogtag is properly responding on this port?
$ SSL_DIR=/etc/httpd/alias/ curl -v -E ipaCert:`cat
/etc/httpd/alias/pwdfile.txt`
https://hostname.domainname:443/ca/agent/ca/displayBySerial?serialNumber=1
-o out.html
The issue can be that Dogtag is down, or a SSL issue (the certificate
ipaCert in /etc/httpd/alias is used to authenticate the client to Dogtag).
HTH,
Flo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
