Corey Devenport via FreeIPA-users wrote:
Setup:
Cluster of 3 FreeIPA Masters with one as the CA Renewal Master
ipa version 4.8.4
Problem:
One of our certs for one of our servers recently expired, but it was supposed to
auto-renew. Looking into the issue I found that I couldn't access any certs via CLI
or the webUI. When trying to do either, I get the following error:
IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (403)
After doing some research it seems the issue may be with the IPA RA, though I found a
userCertificate in the LDAP that was issued the same day as the one being used by the ipa
server (it had the userCertificate being used by the ipa server as well as another
userCertificate, both have the same dates, but different certificates), changing the
ra-agent.pem did not seem to solve any problems.
Looking in /var/log/pki/pki-tomcat/ca/debug I found the following errors:
WARNING: CertProcessor: No authenticator credentials required
SEVERE: AgentCertAuthentication: No SSL Client Certs Found
SEVERE: CAProcessor: authentication error: Invalid Credential.
I'm a little lost and not sure what to do next, any help would be greatly
appreciated.
The CA is a servlet that runs in tomcat and a 403 suggests it isn't
running. Most likely because its subsystem certificates have expired.
This should provide details on the status of the certificates.
# getcert list
I'd also figure out which server is supposed to be doing the renewal:
$ ipa config-show |grep renew
Based on that we can make a plan forward.
rob