On 14/09/2021 20:00, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote:
On 14/09/2021 14:13, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
Hi guys.
I get:
-> $ ipa host-del c8kubernode1.private.lot
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (403)
-> $ ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)
I searched mailing list and what I found about certs being out or in
sync I checked, I verified but it's still possible I missed something
there.
You checked and verified what?
on renewing master:
-> $ getcert list | grep status # all are MONITORING
But I think I missed it first time.
md5s of:
userCertificate:: from
-> $ ldapsearch -D cn=directory\ manager -b
uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
and
-> $ cat c | grep -v '\-\-' |
_my._sed-joinLines.sh
are different which, if I get it right, means that those are different
certificates, right?
And if yes then how to know which one is the right one?
thanks, L.
You mentioned you did this on the renewal server. Is this the same
server that is throwing the 403?
Yes, it's a primitive two-master setup, both masters fail
with 'Unable to communicate with CMS (403)'
So I presume ultimate is what I get from:
putting what I get from
$ ldapsearch -D cn=directory\ manager -b
uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
into a file and fixing it with begin/end in order to have it
a .pem, then I do 'openssl' on such .pem file.
then what I get from
$ openssl x509 -noout -text -in openssl x509 -noout -text -in
Then I 'diff' two 'openssl' outputs - if this how to
ultimately tell then - it's the same cert, mining 'diff'
sees no difference.
All this I have done on only the renewal master, as of yet.
many thanks, L.
But then when I do 'openssl x509 -noout -text -in' on what is in ldap
then that & '/var/lib/ipa/ra-agent.pem' then it seems to be the same one
certificate.
I'm about to get really confused... :) (..so md5s do not work on pem
files?)
PEM files are just ASCII text.
rob
I also see this: https://access.redhat.com/solutions/3624671 - which I
thought was a bit dated issue thus I want to ask:
Should that be in ipa-server-4.9.6-4 ? because my
'/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks
"^/ca/rest/account/login...
It's unfortunate that the article says it applies to 4.X which is quite
a broad reach.
The matching expression was greatly simplified. I don't believe this is
related.
rob
many thanks, L
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
