hi, I have a lab test with fedora 34 (latest patches) and everything works ok except the CA, # ipa -d cert-find ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$af90c5da... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$af90c5da.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca <http://ipaclient.plugins.ca> ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal &#39;admin(a)L.EXAMPLE.ORG <mailto:admin@L.EXAMPLE.ORG>', cookie: 'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d;' ipa: DEBUG: trying https://kdc.l.example.org/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_140261006164032 ipa: DEBUG: raw: cert_find(None, version='2.243') ipa: DEBUG: cert_find(None, version='2.243') ipa: DEBUG: [try 1]: Forwarding 'cert_find/1' to json server 'https://kdc.l.example.org/ipa/session/json' ipa: DEBUG: New HTTP connection (kdc.l.example.org <http://kdc.l.example.org>) ipa: DEBUG: Destroyed connection context.rpcclient_140261006164032 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) In apache that is the error as well, in pki I see this: 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Searching for certificates 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService: Request class: CertSearchRequest 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService: Request format: application/xml 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService: XML request: <?xml version='1.0' encoding='UTF-8'?> <CertSearchRequest><serialNumberRangeInUse>true</serialNumberRangeInUse><subjectInUse>false</subjectInUse><matchExactly>false</matchExactly><revokedByInUse>false</revokedByInUse><revokedOnInUse>false</revokedOnInUse><revocationReasonInUse>false</revocationReasonInUse><issuedByInUse>false</issuedByInUse><issuedOnInUse>false</issuedOnInUse><validNotBeforeInUse>false</validNotBeforeInUse><validNotAfterInUse>false</validNotAfterInUse><validityLengthInUse>false</validityLengthInUse><certTypeInUse>false</certTypeInUse></CertSearchRequest> 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search filter: (certstatus=*) 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: filter: (certStatus=*) 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search results: 11 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: filter: (certStatus=*) 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=1,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=3,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=4,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=5,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=6,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=8,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=9,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=10,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService: Response format: application/json 2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService: Response class: CertDataInfos The xml request looks ok (valid xml). Googling finds some bugs with mod_deflate, but turning it off breaks httpd. Any idea how to fix it??

hi, On Fri, Oct 15, 2021 at 7:52 PM Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote: What are your package versions of ipa-server and pki-ca? The CA is trying to reduce its dependencies and one of them provides responses over XML. So IPA needed to adjust and expect this. It looks like the two sides are out-of-sync.  I was wrong, not f34 but 35, so this is not released yet:  rpm -qa | egrep "pki-ca|ipa-server" freeipa-server-common-4.9.7-1.fc35.noarch dogtag-pki-ca-11.0.0-1.fc35.noarch freeipa-server-4.9.7-1.fc35.x86_64 freeipa-server-dns-4.9.7-1.fc35.noarch

On pe, 15 loka 2021, Rob Crittenden via FreeIPA-users wrote: > Natxo Asenjo wrote: >> hi, >> >> On Fri, Oct 15, 2021 at 7:52 PM Rob Crittenden <rcritten(a)redhat.com >> <mailto:rcritten@redhat.com>> wrote: >> >> >>     What are your package versions of ipa-server and pki-ca? >> >>     The CA is trying to reduce its dependencies and one of them provides >>     responses over XML. So IPA needed to adjust and expect this. It >> looks >>     like the two sides are out-of-sync. >> >> >>  I was wrong, not f34 but 35, so this is not released yet: >> >>  rpm -qa | egrep "pki-ca|ipa-server" >> freeipa-server-common-4.9.7-1.fc35.noarch >> dogtag-pki-ca-11.0.0-1.fc35.noarch >> freeipa-server-4.9.7-1.fc35.x86_64 >> freeipa-server-dns-4.9.7-1.fc35.noarch > > > Ok yeah, this confirms it. We'll have to do a patch to IPA in F35 and > rawhide to address this. It shouldn't be a ton of work but F35 is close > to release so we'll see if we can sneak the update in. > > I filed https://bugzilla.redhat.com/show_bug.cgi?id=2014658 > > I'm not sure if there is a workaround for this. The fix is in upstream (and in C9S too) so it should be an easy rebuild. I nominated this bug for F35 final release blocker.