lejeczek via FreeIPA-users wrote:
On 14/09/2021 15:11, lejeczek via FreeIPA-users wrote:
>
>
> On 14/09/2021 14:13, Rob Crittenden wrote:
>> lejeczek via FreeIPA-users wrote:
>>> Hi guys.
>>>
>>> I get:
>>>
>>> -> $ ipa host-del c8kubernode1.private.lot
>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>> communicate with CMS (403)
>>>
>>> -> $ ipa cert-show 1
>>> ipa: ERROR: Certificate operation cannot be completed: Request failed
>>> with status 403: Non-2xx response from CA REST API: 403. (403)
>>>
>>> I searched mailing list and what I found about certs being out or in
>>> sync I checked, I verified but it's still possible I missed something
>>> there.
>> You checked and verified what?
> on renewing master:
> -> $ getcert list | grep status # all are MONITORING
> But I think I missed it first time.
> md5s of:
> userCertificate:: from
> -> $ ldapsearch -D cn=directory\ manager -b
> uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
> and
> -> $ cat /var/lib/ipa/ra-agent.pem | grep -v '\-\-' |
> _my._sed-joinLines.sh
> are different which, if I get it right, means that those are different
> certificates, right?
> And if yes then how to know which one is the right one?
>
> thanks, L.
You mentioned you did this on the renewal server. Is this the same
server that is throwing the 403?
But then when I do 'openssl x509 -noout -text -in' on what is
in ldap
then that & '/var/lib/ipa/ra-agent.pem' then it seems to be the same one
certificate.
I'm about to get really confused... :) (..so md5s do not work on pem
files?)
PEM files are just ASCII text.
rob
>>
>>> I also see this:
https://access.redhat.com/solutions/3624671 - which I
>>> thought was a bit dated issue thus I want to ask:
>>> Should that be in ipa-server-4.9.6-4 ? because my
>>> '/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks
>>> "^/ca/rest/account/login...
>> It's unfortunate that the article says it applies to 4.X which is quite
>> a broad reach.
>>
>> The matching expression was greatly simplified. I don't believe this is
>> related.
>>
>> rob
>>
>>> many thanks, L
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>
>>>
>>> Do not reply to spam on the list, report it:
>>>
https://pagure.io/fedora-infrastructure
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure