On 14/09/2021 20:00, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
>
> On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote:
>>
>> On 14/09/2021 14:13, Rob Crittenden wrote:
>>> lejeczek via FreeIPA-users wrote:
>>>> Hi guys.
>>>>
>>>> I get:
>>>>
>>>> -> $ ipa host-del c8kubernode1.private.lot
>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (403)
>>>>
>>>> -> $ ipa cert-show 1
>>>> ipa: ERROR: Certificate operation cannot be completed: Request failed
>>>> with status 403: Non-2xx response from CA REST API: 403. (403)
>>>>
>>>> I searched mailing list and what I found about certs being out or in
>>>> sync I checked, I verified but it's still possible I missed
something
>>>> there.
>>> You checked and verified what?
>> on renewing master:
>> -> $ getcert list | grep status # all are MONITORING
>> But I think I missed it first time.
>> md5s of:
>> userCertificate:: from
>> -> $ ldapsearch -D cn=directory\ manager -b
>> uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
>> and
>> -> $ cat c | grep -v '\-\-' |
>> _my._sed-joinLines.sh
>> are different which, if I get it right, means that those are different
>> certificates, right?
>> And if yes then how to know which one is the right one?
>>
>> thanks, L.
You mentioned you did this on the renewal server. Is this the same
server that is throwing the 403?
Yes, it's a primitive two-master setup, both
masters fail
with 'Unable to communicate with CMS (403)'
So I presume ultimate is what I get from:
putting what I get from
$ ldapsearch -D cn=directory\ manager -b
uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
into a file and fixing it with begin/end in order to have it
a .pem, then I do 'openssl' on such .pem file.
then what I get from
$ openssl x509 -noout -text -in openssl x509 -noout -text -in
Then I 'diff' two 'openssl' outputs - if this how to
ultimately tell then - it's the same cert, mining 'diff'
sees no difference.
All this I have done on only the renewal master, as of yet.
many thanks, L.
> But then when I do 'openssl x509 -noout -text -in' on
what is in ldap
> then that & '/var/lib/ipa/ra-agent.pem' then it seems to be the same one
> certificate.
> I'm about to get really confused... :) (..so md5s do not work on pem
> files?)
PEM files are just ASCII text.
rob
>>>> I also see this:
https://access.redhat.com/solutions/3624671 - which I
>>>> thought was a bit dated issue thus I want to ask:
>>>> Should that be in ipa-server-4.9.6-4 ? because my
>>>> '/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks
>>>> "^/ca/rest/account/login...
>>> It's unfortunate that the article says it applies to 4.X which is quite
>>> a broad reach.
>>>
>>> The matching expression was greatly simplified. I don't believe this is
>>> related.
>>>
>>> rob
>>>
>>>> many thanks, L
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>
>>>>
>>>> Do not reply to spam on the list, report it:
>>>>
https://pagure.io/fedora-infrastructure
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>> Do not reply to spam on the list, report it:
>>
https://pagure.io/fedora-infrastructure
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure