Bret Wortman wrote: > Digging still deeper: > > # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (503) > > Looks like this is an HTTP error; so is it possible that my IPA thinks > it has a CA but there's no CMS available?
Apache proxies requests to the CA so there could be a mismatch I suppose. I'd ensure that the pki processes are running on the box for starters and then dig into the CA debug log for more details. rob > > > On 04/26/2017 08:41 AM, Bret Wortman wrote: >> >> Using the firefox debugger, I get these errors when trying to pop up >> the New Certificate dialog: >> >> Empty string passed to getElementById(). (5) >> jquery.js:4:1060 >> TypeError: u is undefined >> app.js:1:362059 >> Empty string passed to getElementById(). (5) >> jquery.js:4:1060 >> TypeError: t is undefined >> app.js:1:217432 >> >> I'm definitely not a web kind of guy so I'm not sure if this is >> helpful or not. This is on 4.4.0, API Version 2.213. >> >> >> Bret >> >> >> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>> >>> Good news. One of my servers _does_ have CA installed. So why does >>> "Action -> New Certificate" not do anything on this or any other server? >>> >>> >>> Bret >>> >>> >>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>> >>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>> past month or so. >>>> >>>> Today, someone came and asked me to generate a new certificate for >>>> their web server. All was good until I went to the IPA UI and tried >>>> to perform Actions->New Certificate, which did nothing. I tried each >>>> of our 3 servers in turn. All came back with no popup window and no >>>> error, either. >>>> >>>> I suspect the problem might be that we no longer have a CA server >>>> due to the method I used to upgrade the servers. I likely missed a >>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>> the CA. >>>> >>>> What's my best hope of recovery? I never ran this before, so I'm not >>>> sure if this shows that I'm missing a CA or not: >>>> >>>> # ipa ca-find >>>> ------------ >>>> 1 CA matched >>>> ------------ >>>> Name: ipa >>>> Description IPA CA >>>> Authority ID: 3ce3346[...] >>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>> ---------------------------- >>>> Number of entries returned 1 >>>> ---------------------------- >>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>> O=DAMASCUSGRP.COM" >>>> ipa: ERROR: Failed to authenticate to CA REST API >>>> # klist >>>> Ticket cache: KEYRING:persistent:0:0 >>>> Default principal: [email protected] >>>> >>>> Valid starting Expires Service principal >>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>> krbtgt/[email protected] >>>> # >>>> >>>> >>>> What's my best path of recovery? >>>> >>>> -- >>>> *Bret Wortman* >>>> The Damascus Group >>>> >>> >>> >>> >> >> >> > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
