Re: [Freeipa-users] IPA Error 4301: CertificateOperationError
Fraser Tweedale wrote: On Mon, Aug 22, 2016 at 11:52:46PM +, Z D wrote: Hello, There is the error on ver 4.2 while viewing certs: "IPA Error 4301: CertificateOperationError", next it read " Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host)". I suspect you'll be asking for below two commands, here are results. # ipa cert-show 1 Certificate: MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1VUy5P ..shortened ... H6S7tS4pT9w77K8= Subject: CN=Certificate Authority,O=COMP.COM Issuer: CN=Certificate Authority,O=COMP.COM Not Before: Wed Aug 17 17:20:41 2016 UTC Not After: Sun Aug 17 17:20:41 2036 UTC Fingerprint (MD5): 00:a5:2c:2d:ea:c8:27:33:62:35:75:53:12:6a:0d:c1 Fingerprint (SHA1): d1:58:78:83:31:b8:ad:ae:af:2c:e7:05:44:67:6e:3a:37:8c:00:1a Serial number (hex): 0x1 Serial number: 1 # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful Any help is appreciated, thanks Zarko "while viewing certs" -> do you mean in the IPA Web UI? The successful `cert-show' command indicates that the CA is up and running, but the error message indicates that the host running the failing action cannot contact the CA. You should check DNS and firewall settings as a first step. If a request for a certificate operation comes into an IPA master that isn't running a CA the request is sent to one that does. It sure seems like that is happening in this case and the chosen CA isn't available. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Error 4301: CertificateOperationError
On Mon, Aug 22, 2016 at 11:52:46PM +, Z D wrote: > Hello, > > There is the error on ver 4.2 while viewing certs: "IPA Error > 4301: CertificateOperationError", next it read " Certificate > operation cannot be completed: Unable to communicate with CMS > ([Errno 113] No route to host)". > > I suspect you'll be asking for below two commands, here are results. > > # ipa cert-show 1 > Certificate: > MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1VUy5P > ..shortened ... > H6S7tS4pT9w77K8= > Subject: CN=Certificate Authority,O=COMP.COM > Issuer: CN=Certificate Authority,O=COMP.COM > Not Before: Wed Aug 17 17:20:41 2016 UTC > Not After: Sun Aug 17 17:20:41 2036 UTC > Fingerprint (MD5): 00:a5:2c:2d:ea:c8:27:33:62:35:75:53:12:6a:0d:c1 > Fingerprint (SHA1): > d1:58:78:83:31:b8:ad:ae:af:2c:e7:05:44:67:6e:3a:37:8c:00:1a > Serial number (hex): 0x1 > Serial number: 1 > > # ipactl restart > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting named Service > Restarting ipa_memcached Service > Restarting httpd Service > Restarting ipa-otpd Service > Restarting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful > > Any help is appreciated, thanks > Zarko > "while viewing certs" -> do you mean in the IPA Web UI? The successful `cert-show' command indicates that the CA is up and running, but the error message indicates that the host running the failing action cannot contact the CA. You should check DNS and firewall settings as a first step. Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Error 4301: CertificateOperationError
Hello, There is the error on ver 4.2 while viewing certs: "IPA Error 4301: CertificateOperationError", next it read " Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host)". I suspect you'll be asking for below two commands, here are results. # ipa cert-show 1 Certificate: MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1VUy5P ..shortened ... H6S7tS4pT9w77K8= Subject: CN=Certificate Authority,O=COMP.COM Issuer: CN=Certificate Authority,O=COMP.COM Not Before: Wed Aug 17 17:20:41 2016 UTC Not After: Sun Aug 17 17:20:41 2036 UTC Fingerprint (MD5): 00:a5:2c:2d:ea:c8:27:33:62:35:75:53:12:6a:0d:c1 Fingerprint (SHA1): d1:58:78:83:31:b8:ad:ae:af:2c:e7:05:44:67:6e:3a:37:8c:00:1a Serial number (hex): 0x1 Serial number: 1 # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful Any help is appreciated, thanks Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project