hi,
I have a lab test with fedora 34 (latest patches) and everything works
ok except the CA,
# ipa -d cert-find
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: importing all plugin modules in
ipaclient.remote_plugins.schema$af90c5da...
ipa: DEBUG: importing plugin module
ipaclient.remote_plugins.schema$af90c5da.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
<
http://ipaclient.plugins.ca>
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal
'admin(a)L.EXAMPLE.ORG <mailto:admin@L.EXAMPLE.ORG>', cookie:
'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d'
ipa: DEBUG: setting session_cookie into context
'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d;'
ipa: DEBUG: trying
https://kdc.l.example.org/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140261006164032
ipa: DEBUG: raw: cert_find(None, version='2.243')
ipa: DEBUG: cert_find(None, version='2.243')
ipa: DEBUG: [try 1]: Forwarding 'cert_find/1' to json server
'https://kdc.l.example.org/ipa/session/json'
ipa: DEBUG: New HTTP connection (
kdc.l.example.org
<
http://kdc.l.example.org>)
ipa: DEBUG: Destroyed connection context.rpcclient_140261006164032
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Start tag expected, '<' not found, line 1, column 1)
In apache that is the error as well, in pki I see this:
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
Searching for certificates
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
PKIService: Request class: CertSearchRequest
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
PKIService: Request format: application/xml
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
PKIService: XML request:
<?xml version='1.0' encoding='UTF-8'?>
<CertSearchRequest><serialNumberRangeInUse>true</serialNumberRangeInUse><subjectInUse>false</subjectInUse><matchExactly>false</matchExactly><revokedByInUse>false</revokedByInUse><revokedOnInUse>false</revokedOnInUse><revocationReasonInUse>false</revocationReasonInUse><issuedByInUse>false</issuedByInUse><issuedOnInUse>false</issuedOnInUse><validNotBeforeInUse>false</validNotBeforeInUse><validNotAfterInUse>false</validNotAfterInUse><validityLengthInUse>false</validityLengthInUse><certTypeInUse>false</certTypeInUse></CertSearchRequest>
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search
filter: (certstatus=*)
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: filter: (certStatus=*)
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search
results: 11
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: filter: (certStatus=*)
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=1,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=3,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=4,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=5,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=6,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=8,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=9,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=10,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
PKIService: Response format: application/json
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
PKIService: Response class: CertDataInfos
The xml request looks ok (valid xml).
Googling finds some bugs with mod_deflate, but turning it off breaks
httpd. Any idea how to fix it??
What are your package versions of ipa-server and pki-ca?
The CA is trying to reduce its dependencies and one of them provides
responses over XML. So IPA needed to adjust and expect this. It looks
like the two sides are out-of-sync.
rob