Natxo Asenjo via FreeIPA-users wrote: > hi, > > I have a lab test with fedora 34 (latest patches) and everything works > ok except the CA, > > > > # ipa -d cert-find > ipa: DEBUG: Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > ipa: DEBUG: Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > ipa: DEBUG: Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > ipa: DEBUG: importing all plugin modules in > ipaclient.remote_plugins.schema$af90c5da... > ipa: DEBUG: importing plugin module > ipaclient.remote_plugins.schema$af90c5da.plugins > ipa: DEBUG: importing all plugin modules in ipaclient.plugins... > ipa: DEBUG: importing plugin module ipaclient.plugins.automember > ipa: DEBUG: importing plugin module ipaclient.plugins.automount > ipa: DEBUG: importing plugin module ipaclient.plugins.ca > <http://ipaclient.plugins.ca> > ipa: DEBUG: importing plugin module ipaclient.plugins.cert > ipa: DEBUG: importing plugin module ipaclient.plugins.certmap > ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile > ipa: DEBUG: importing plugin module ipaclient.plugins.dns > ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule > ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest > ipa: DEBUG: importing plugin module ipaclient.plugins.host > ipa: DEBUG: importing plugin module ipaclient.plugins.idrange > ipa: DEBUG: importing plugin module ipaclient.plugins.internal > ipa: DEBUG: importing plugin module ipaclient.plugins.location > ipa: DEBUG: importing plugin module ipaclient.plugins.migration > ipa: DEBUG: importing plugin module ipaclient.plugins.misc > ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken > ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey > ipa: DEBUG: importing plugin module ipaclient.plugins.passwd > ipa: DEBUG: importing plugin module ipaclient.plugins.permission > ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient > ipa: DEBUG: importing plugin module ipaclient.plugins.server > ipa: DEBUG: importing plugin module ipaclient.plugins.service > ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule > ipa: DEBUG: importing plugin module ipaclient.plugins.topology > ipa: DEBUG: importing plugin module ipaclient.plugins.trust > ipa: DEBUG: importing plugin module ipaclient.plugins.user > ipa: DEBUG: importing plugin module ipaclient.plugins.vault > ipa: DEBUG: found session_cookie in persistent storage for principal > '[email protected] <mailto:[email protected]>', cookie: > 'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d;' > ipa: DEBUG: trying https://kdc.l.example.org/ipa/session/json > ipa: DEBUG: Created connection context.rpcclient_140261006164032 > ipa: DEBUG: raw: cert_find(None, version='2.243') > ipa: DEBUG: cert_find(None, version='2.243') > ipa: DEBUG: [try 1]: Forwarding 'cert_find/1' to json server > 'https://kdc.l.example.org/ipa/session/json' > ipa: DEBUG: New HTTP connection (kdc.l.example.org > <http://kdc.l.example.org>) > ipa: DEBUG: Destroyed connection context.rpcclient_140261006164032 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Start tag expected, '<' not found, line 1, column 1) > > In apache that is the error as well, in pki I see this: > > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > Searching for certificates > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > PKIService: Request class: CertSearchRequest > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > PKIService: Request format: application/xml > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > PKIService: XML request: > <?xml version='1.0' encoding='UTF-8'?> > <CertSearchRequest><serialNumberRangeInUse>true</serialNumberRangeInUse><subjectInUse>false</subjectInUse><matchExactly>false</matchExactly><revokedByInUse>false</revokedByInUse><revokedOnInUse>false</revokedOnInUse><revocationReasonInUse>false</revocationReasonInUse><issuedByInUse>false</issuedByInUse><issuedOnInUse>false</issuedOnInUse><validNotBeforeInUse>false</validNotBeforeInUse><validNotAfterInUse>false</validNotAfterInUse><validityLengthInUse>false</validityLengthInUse><certTypeInUse>false</certTypeInUse></CertSearchRequest> > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search > filter: (certstatus=*) > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: filter: (certStatus=*) > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search > results: 11 > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: filter: (certStatus=*) > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=1,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=3,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=4,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=5,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=6,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=8,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=9,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=10,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > PKIService: Response format: application/json > 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: > PKIService: Response class: CertDataInfos > > The xml request looks ok (valid xml). > > Googling finds some bugs with mod_deflate, but turning it off breaks > httpd. Any idea how to fix it??
What are your package versions of ipa-server and pki-ca? The CA is trying to reduce its dependencies and one of them provides responses over XML. So IPA needed to adjust and expect this. It looks like the two sides are out-of-sync. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
