[Freeipa-users] TLS error on master server / CA issue?
Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u' https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TLS error on master server / CA issue?
KodaK wrote: Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u'https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Check certificate expiration. Run getcert list to see what the status is. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TLS error on master server / CA issue?
On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden rcrit...@redhat.comwrote: KodaK wrote: Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u'https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Check certificate expiration. Run getcert list to see what the status is. rob None are expired, but there are some coming up soon: [root@slpidml01 ~]# getcert list | grep expires expires: 2014-03-29 19:03:31 UTC expires: 2014-03-29 19:04:04 UTC expires: 2014-03-29 19:04:30 UTC expires: 2016-02-09 06:26:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC Everything is set to auto-renew: [root@slpidml01 ~]# getcert list | grep auto-renew auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TLS error on master server / CA issue?
KodaK wrote: On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: KodaK wrote: Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.__com/ipa/xml https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u'https://slpidml01.unix.xxx.__com/ipa/xml https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com__ -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com__ -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Check certificate expiration. Run getcert list to see what the status is. rob None are expired, but there are some coming up soon: [root@slpidml01 ~]# getcert list | grep expires expires: 2014-03-29 19:03:31 UTC expires: 2014-03-29 19:04:04 UTC expires: 2014-03-29 19:04:30 UTC expires: 2016-02-09 06:26:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC Ok. CA requests are proxied through Apache so a Not Found means that the CA isn't running. Check the trust on the audit cert: # certutil -L -d /var/lib/pki-ca/alias The trust for the audit signing cert should be u,u,Pu If it doesn't have it, fix it with: # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu Then restart the CA (or all of IPA if you wish). For the LDAP searches you may want to try the commands again, preceding them with LDAPTLS_CACERT=/etc/ipa/ca.crt rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users