Hi,
I'm having an issue where I can't remove an host due to the error:
"Operation Error
Some entries were not deleted
Show details:
- Certificate operation cannot be completed: Unable to communicate with CMS
(403)"
getcert list
Number of certificates and requests being tracked: 9.
Request ID '20210401150403':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority
subject: CN=IPA RA
expires: 2023-03-22 16:04:03 WET
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20210401150418':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority
subject: CN=CA Audit
expires: 2023-03-22 16:03:31 WET
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210401150419':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority
subject: CN=OCSP Subsystem
expires: 2023-03-22 16:03:28 WET
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210401150420':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority
subject: CN=CA Subsystem
expires: 2023-03-22 16:03:30 WET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210401150421':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority
subject: CN=Certificate Authority
expires: 2041-04-01 16:03:26 WEST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210401150422':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority
subject: CN=idm.domain.io
expires: 2023-03-22 16:03:29 WET
dns: idm.domain.io
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210401150440':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-IO',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-IO/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-IO',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority
subject: CN=idm.domain.io
expires: 2023-04-02 16:04:42 WEST
dns: idm.domain.io
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-IO
track: yes
auto-renew: yes
Request ID '20210401150509':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/idm.domain.io-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority
subject: CN=idm.domain.io
expires: 2023-04-02 16:05:09 WEST
dns: idm.domain.io,ipa-ca.domain.io
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20210401150519':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority
subject: CN=idm.domain.io
expires: 2023-04-02 16:05:20 WEST
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
ski-tomcat doesn't fail to start, however I get the following errors:
-- Subject: Unit [email protected] has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit [email protected] has begun starting up.
Feb 02 15:22:15 idm.domain.io server[8216]: Java virtual machine used:
/usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Feb 02 15:22:15 idm.domain.io server[8216]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-laun>
Feb 02 15:22:15 idm.domain.io server[8216]: main class used:
org.apache.catalina.startup.Bootstrap
Feb 02 15:22:15 idm.domain.io server[8216]: flags used: -Dcom.redhat.fips=false
Feb 02 15:22:15 idm.domain.io server[8216]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pk>
Feb 02 15:22:15 idm.domain.io server[8216]: arguments used: start
Feb 02 15:22:16 idm.domain.io ipa-pki-wait-running[8217]: pki.client:
/usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in
PKIConnection.__init__() has been deprecated (https:/>
Feb 02 15:22:16 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Created connection http://idm.domain.io:8080/ca
Feb 02 15:22:16 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Max
retries exceeded with url: />
Feb 02 15:22:17 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Max
retries exceeded with url: />
Feb 02 15:22:18 idm.domain.io server[8216]: WARNING: Some of the specified
[protocols] are not supported by the SSL engine and have been skipped: [[TLSv1,
TLSv1.1]]
Feb 02 15:22:19 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Read
timed out. (read timeout=1.>
Feb 02 15:22:21 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Read
timed out. (read timeout=1.>
Feb 02 15:22:23 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Read
timed out. (read timeout=1.>
Feb 02 15:22:25 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Read
timed out. (read timeout=1.>
Feb 02 15:22:27 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Read
timed out. (read timeout=1.>
Feb 02 15:22:29 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Connection failed: HTTPConnectionPool(host='idm.domain.io', port=8080): Read
timed out. (read timeout=1.>
Feb 02 15:22:31 idm.domain.io ipa-pki-wait-running[8217]: ipa-pki-wait-running:
Success, subsystem ca is running!
Feb 02 15:22:31 idm.domain.io systemd[1]: Started PKI Tomcat Server pki-tomcat.
-- Subject: Unit [email protected] has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit [email protected] has finished starting up.
--
-- The start-up result is done.
I have followed this solution as well, but it didn't made any difference.
https://access.redhat.com/solutions/4796941
IPA doesn't fail, all services are running, I simply can't do any operations
that involve the CMS. Any help appreciated, thank you.
Ricardo M.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
