If the subject isn't vague enough, perhaps I can explain in some better detail.
I have IPA setup with a couple of replicas and it's been running fine for a few
months; perriodic runs of ipa-healthcheck didn't show any issues.
During an update of the system packages, something went wrong and the CA is now
unavailable from the webui and ipa tools.
When accessing from the webui (Authentication->Certificates) I get th following error:
"Certificate operation cannot be completed: Unable to communicate with CMS
(403)"
From some cli tools (ipa cert-show) I get this error:
"ipa: ERROR: Certificate operation cannot be completed: Request failed with status
403: Non-2xx response from CA REST API: 403. (403)"
It appears that dogtag is working, as I can use it's toolset to query "pki
ca-cert-show 0x1 --pretty" for example returns the certificate as expected so I
suspect the issue lies somewhere in the API.
I compared the cert which I believe to be used for pki with the following:
"grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 >
/tmp/pwdfile.txt"
"certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert
cert-pki-ca'"
So from what I've read it seems pki-tomcat should be able to access it's private
key and certificate.
I also compared the cert with the one in LDAP and the two are the same.
"ldapsearch -LLL -D 'cn=directory manager' -W -b
uid=pkidbuser,ou=people,o=ipaca userCertificate"
In digging through some old backups, I found that entries in
/etc/pki/pki-tomcat/server.xml had changed, so I reset the "requiredSecret" back
to an earlier value, which seemed to allow the webui to work again, at least partially as
I can now get a listing from the CA in the webui though I cannot see details of any
particular certificate.
Assuming I'm on the right path, is there a documented process to regenerate the
server.xml file or am I chasing the wrong problem?
Show replies by date