Hide Forgot
Created attachment 847341 [details] /var/log/pki-ca/debug Description of problem: When trying to remove a host through either the web interface or the clie using ipa host-del I receive the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4.x86_64 How reproducible: 100% on all host-del operations. Steps to Reproduce: 1. Log into IPA 2. Attempt to delete a host Actual results: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Expected results: I expect the host to be deleted. Additional info: I also tried the following commands which resulted in the same error: ipa cert-show # ipa host-disable hostname IPA packages installed: ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch
Created attachment 847343 [details] /var/log/httpd/error_log
The CA can't bind to its LDAP server: getLDAPConn: netscape.ldap.LDAPException: error result (49) 49 is invalid credentials. Did you change the Directory Manager password in your CA LDAP instance?
Yes, that password was changed. I was under the influence the Directory Manager account was only used during deployment. Which file do I need to update with the new password? Thanks!
We have a HOWTO for this situation (fixing CA after a DM password was changed): http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password Please report if you had any issues with following it so that we can enhance it.
After following the guide I was still being greeted with "Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)" when trying to remove hosts or check certificates. Checking the logs in /var/log/pki-ca/debug showed me that the PKI service was still throwing LDAP bind errors for invalid credentials. Eventually I got it working, but I had to update a key in /etc/pki-ca/password.conf. The key I updated was internaldb with the value of the new Directory Manager password. After restarting the pki-ca all was well. Additionally, I found this excerpt to be a little confusing: $KEYDB_PASSWORD is the password for PKI certificate storage. It can be retrieved from internal configuration option in /etc/pki-ca/password.conf for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10 The reason is because internaldb looks more like a password (being that it is) as opposed to the line of numbers following the internal key. $KEYDB_PIN is the PIN for the PKI certificate storage. It can be retrieved from the **internal** configuration option in /etc/pki-ca/password.conf for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10 Thank for your help Martin!
I am glad you made it working. (In reply to Chr from comment #6) > After following the guide I was still being greeted with "Certificate > operation cannot be completed: Unable to communicate with CMS (Not Found)" > when trying to remove hosts or check certificates. > > Checking the logs in /var/log/pki-ca/debug showed me that the PKI service > was still throwing LDAP bind errors for invalid credentials. > > Eventually I got it working, but I had to update a key in > /etc/pki-ca/password.conf. The key I updated was internaldb with the value > of the new Directory Manager password. After restarting the pki-ca all was > well. Ok, we can add this information. > > Additionally, I found this excerpt to be a little confusing: > > $KEYDB_PASSWORD is the password for PKI certificate storage. It can be > retrieved from internal configuration option in /etc/pki-ca/password.conf > for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10 > > The reason is because internaldb looks more like a password (being that it > is) as opposed to the line of numbers following the internal key. > > $KEYDB_PIN is the PIN for the PKI certificate storage. It can be retrieved > from the **internal** configuration option in /etc/pki-ca/password.conf for > Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10 > > Thank for your help Martin! Good point. I updated http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password and added both missing pieces. If you miss anything else, please just write a comment. Otherwise I think we can close this bug.
Closing the bug.