[Freeipa-users] Re: RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (500)

roy liang via FreeIPA-users Fri, 15 Jul 2022 02:22:26 -0700

> Thank you very much!
> rm -rf  /var/run/ipa/renewal.lock  After that, it did go well, but the status 
> changed to
> CA_UNREACHABLE. I repeated getCert resubmit -i all expired ID for many times, 
> but I still
> couldn't renew the certificate. Can you help analyze the reason?What else 
> might I need
> to do?
> 
> repeated getCert resubmit -i  xx
> 
> root@ipa-test-65-199:/var/log/pki# getcert list |egrep  
> 'Request|status|expires'
> Request ID '20200509160847':
>         status: MONITORING
>         expires: 2022-04-29 16:08:24 UTC
> Request ID '20200509160848':
>         status: MONITORING
>         expires: 2022-04-29 16:08:23 UTC
> Request ID '20200509160849':
>         status: MONITORING
>         expires: 2022-04-29 16:08:24 UTC
> Request ID '20200509160850':
>         status: MONITORING
>         expires: 2040-05-09 16:08:22 UTC
> Request ID '20200509160851':
>         status: MONITORING
>         expires: 2022-04-29 16:08:44 UTC
> Request ID '20200509160852':
>         status: MONITORING
>         expires: 2022-04-29 16:08:23 UTC
> Request ID '20200509160914':
>         status: CA_UNREACHABLE
>         expires: 2022-05-10 16:09:13 UTC
> Request ID '20200509160938':
>         status: CA_UNREACHABLE
>         expires: 2022-05-10 16:09:38 UTC
> root@ipa-test-65-199:/var/log/pki# getcert list |egrep 
> 'Request|status|expires|ca-error'
> Request ID '20200509160847':
>         status: MONITORING
>         expires: 2022-04-29 16:08:24 UTC
> Request ID '20200509160848':
>         status: MONITORING
>         expires: 2022-04-29 16:08:23 UTC
> Request ID '20200509160849':
>         status: MONITORING
>         expires: 2022-04-29 16:08:24 UTC
> Request ID '20200509160850':
>         status: MONITORING
>         expires: 2040-05-09 16:08:22 UTC
> Request ID '20200509160851':
>         status: MONITORING
>         expires: 2022-04-29 16:08:44 UTC
> Request ID '20200509160852':
>         status: MONITORING
>         expires: 2022-04-29 16:08:23 UTC
> Request ID '20200509160914':
>         status: CA_UNREACHABLE
>         ca-error: Server at 
> https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed
> request, will retry: 4301 (RPC failed at server.  Certificate operation 
> cannot be
> completed: Unable to communicate with CMS (500)).
>         expires: 2022-05-10 16:09:13 UTC
> Request ID '20200509160938':
>         status: CA_UNREACHABLE
>         ca-error: Server at 
> https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed
> request, will retry: 4301 (RPC failed at server.  Certificate operation 
> cannot be
> completed: Unable to communicate with CMS (500)).
>         expires: 2022-05-10 16:09:38 UTC
> root@ipa-test-65-199:/var/log/pki# date -R
> Thu, 28 Apr 2022 00:16:51 +0800


I tried these commands and restarted Certmonger. Strangely enough, the HTTP 
LDAP certificate was renewed successfully, but the PKI-Tomcat certificate was 
not renewed. I executed getCert Request -i ID several times, but the date of 
the certificate is still not renewed

https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/

certutil -M -d /etc/apache2/nssdb -n 'YYDEVOPS.COM IPA CA' -t ,,
certutil -M -d /etc/apache2/nssdb -n 'YYDEVOPS.COM IPA CA' -t CT,C,C
curl -v -o /dev/null --cacert /etc/ipa/ca.crt 
https://`hostname`:8443/ca/agent/ca/profileReview
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
  Trying 10.12.65.199...
* Connected to ipa-test-65-199.hiido.host.yydevops.com (10.12.65.199) port 8443 
(#0)
* found 1 certificates in /etc/ipa/ca.crt
* found 700 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: ipa-test-65-199.hiido.host.yydevops.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: O=YYDEVOPS.COM,CN=ipa-test-65-199.hiido.host.yydevops.com
*        start date: Sat, 09 May 2020 16:08:23 GMT
*        expire date: Fri, 29 Apr 2022 16:08:23 GMT
*        issuer: O=YYDEVOPS.COM,CN=Certificate Authority
*        compression: NULL
* ALPN, server did not agree to a protocol
> GET /ca/agent/ca/profileReview HTTP/1.1
> Host: ipa-test-65-199.hiido.host.yydevops.com:8443
> User-Agent: curl/7.47.0
> Accept: */*
> 
* gnutls_handshake() failed: Illegal parameter
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) gnutls_handshake() failed: Illegal parameter

root@ipa-test-65-199:/home/liangrui# getcert list |egrep 
'Request|status|expires|ca-error|certificate'                              
Number of certificates and requests being tracked: 8.
Request ID '20200509160847':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        expires: 2022-04-29 16:08:24 UTC
Request ID '20200509160848':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        expires: 2022-04-29 16:08:23 UTC
Request ID '20200509160849':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        expires: 2022-04-29 16:08:24 UTC
Request ID '20200509160850':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        expires: 2040-05-09 16:08:22 UTC
Request ID '20200509160851':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS 
Certificate DB'
        expires: 2022-04-29 16:08:44 UTC
Request ID '20200509160852':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        expires: 2022-04-29 16:08:23 UTC
Request ID '20200509160914':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS
 Certificate DB'
        expires: 2024-04-27 17:12:04 UTC
Request ID '20200509160938':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS 
Certificate DB'
        expires: 2024-04-27 17:12:12 UTC
Let a person do not know how to start, how to deal with?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (500)

Reply via email to