Ricardo Mendes via FreeIPA-users wrote: > Hi, > > I'm having an issue where I can't remove an host due to the error: > "Operation Error > Some entries were not deleted > > Show details: > - Certificate operation cannot be completed: Unable to communicate with CMS > (403)" > > getcert list > Number of certificates and requests being tracked: 9. > Request ID '20210401150403': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority > subject: CN=IPA RA > expires: 2023-03-22 16:04:03 WET > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20210401150418': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority > subject: CN=CA Audit > expires: 2023-03-22 16:03:31 WET > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210401150419': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority > subject: CN=OCSP Subsystem > expires: 2023-03-22 16:03:28 WET > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210401150420': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority > subject: CN=CA Subsystem > expires: 2023-03-22 16:03:30 WET > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210401150421': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority > subject: CN=Certificate Authority > expires: 2041-04-01 16:03:26 WEST > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210401150422': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority > subject: CN=idm.domain.io > expires: 2023-03-22 16:03:29 WET > dns: idm.domain.io > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210401150440': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-IO',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-IO/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-IO',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority > subject: CN=idm.domain.io > expires: 2023-04-02 16:04:42 WEST > dns: idm.domain.io > principal name: ldap/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-IO > track: yes > auto-renew: yes > Request ID '20210401150509': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/idm.domain.io-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority > subject: CN=idm.domain.io > expires: 2023-04-02 16:05:09 WEST > dns: idm.domain.io,ipa-ca.domain.io > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20210401150519': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority > subject: CN=idm.domain.io > expires: 2023-04-02 16:05:20 WEST > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > ski-tomcat doesn't fail to start, however I get the following errors: > -- Subject: Unit [email protected] has begun start-up > -- Defined-By: systemd > -- Support: https://access.redhat.com/support >
You don't mention what version of IPA you have, or what distribution. Give the 403 I'd start with this thread: https://lists.fedoraproject.org/archives/list/[email protected]/thread/NZLD5WHI4GCM2B437WPPD4HIHSCJT45F/#WQI6H5FVVC7CJ3GHDLBYJJAQJYHWGW3V The connection failure is during startup is likely a red herring as it is just a loop waiting for the CA to have fully started, which it does. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
