Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1050212 - ipa host-del fails with: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Summary: ipa host-del fails with: Certificate operation cannot be completed: Unable to...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-08 21:00 UTC by Chr
Modified: 2014-01-10 12:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-10 12:08:13 UTC
Target Upstream Version:


Attachments (Terms of Use)
/var/log/pki-ca/debug (36.19 KB, text/plain)
2014-01-08 21:00 UTC, Chr
no flags Details
/var/log/httpd/error_log (726 bytes, text/plain)
2014-01-08 21:01 UTC, Chr
no flags Details

Description Chr 2014-01-08 21:00:38 UTC
Created attachment 847341 [details]
/var/log/pki-ca/debug

Description of problem:
When trying to remove a host through either the web interface or the clie using ipa host-del I receive the following error:
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.4.x86_64

How reproducible:
100% on all host-del operations.

Steps to Reproduce:
1. Log into IPA
2. Attempt to delete a host

Actual results:
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Expected results:
I expect the host to be deleted.

Additional info:
I also tried the following commands which resulted in the same error:
ipa cert-show #
ipa host-disable hostname

IPA packages installed:
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-3.0.0-26.el6_4.4.x86_64
ipa-server-3.0.0-26.el6_4.4.x86_64
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch

Comment 1 Chr 2014-01-08 21:01:28 UTC
Created attachment 847343 [details]
/var/log/httpd/error_log

Comment 3 Rob Crittenden 2014-01-08 22:06:56 UTC
The CA can't bind to its LDAP server:

getLDAPConn: netscape.ldap.LDAPException: error result (49)

49 is invalid credentials.

Did you change the Directory Manager password in your CA LDAP instance?

Comment 4 Chr 2014-01-09 00:37:01 UTC
Yes, that password was changed. I was under the influence the Directory Manager account was only used during deployment. Which file do I need to update with the new password?

Thanks!

Comment 5 Martin Kosek 2014-01-09 07:32:13 UTC
We have a HOWTO for this situation (fixing CA after a DM password was changed):

http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

Please report if you had any issues with following it so that we can enhance it.

Comment 6 Chr 2014-01-09 14:49:36 UTC
After following the guide I was still being greeted with "Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)" when trying to remove hosts or check certificates.

Checking the logs in /var/log/pki-ca/debug showed me that the PKI service was still throwing LDAP bind errors for invalid credentials.

Eventually I got it working, but I had to update a key in /etc/pki-ca/password.conf. The key I updated was internaldb with the value of the new Directory Manager password. After restarting the pki-ca all was well.

Additionally, I found this excerpt to be a little confusing:

$KEYDB_PASSWORD is the password for PKI certificate storage. It can be retrieved from internal configuration option in /etc/pki-ca/password.conf for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10

The reason is because internaldb looks more like a password (being that it is) as opposed to the line of numbers following the internal key.

$KEYDB_PIN is the PIN for the PKI certificate storage. It can be retrieved from the **internal** configuration option in /etc/pki-ca/password.conf for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10

Thank for your help Martin!

Comment 7 Martin Kosek 2014-01-09 16:16:25 UTC
I am glad you made it working.

(In reply to Chr from comment #6)
> After following the guide I was still being greeted with "Certificate
> operation cannot be completed: Unable to communicate with CMS (Not Found)"
> when trying to remove hosts or check certificates.
> 
> Checking the logs in /var/log/pki-ca/debug showed me that the PKI service
> was still throwing LDAP bind errors for invalid credentials.
> 
> Eventually I got it working, but I had to update a key in
> /etc/pki-ca/password.conf. The key I updated was internaldb with the value
> of the new Directory Manager password. After restarting the pki-ca all was
> well.

Ok, we can add this information.

> 
> Additionally, I found this excerpt to be a little confusing:
> 
> $KEYDB_PASSWORD is the password for PKI certificate storage. It can be
> retrieved from internal configuration option in /etc/pki-ca/password.conf
> for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10
> 
> The reason is because internaldb looks more like a password (being that it
> is) as opposed to the line of numbers following the internal key.
> 
> $KEYDB_PIN is the PIN for the PKI certificate storage. It can be retrieved
> from the **internal** configuration option in /etc/pki-ca/password.conf for
> Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10
> 
> Thank for your help Martin!

Good point. I updated
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
and added both missing pieces.

If you miss anything else, please just write a comment. Otherwise I think we can close this bug.

Comment 8 Martin Kosek 2014-01-10 12:08:13 UTC
Closing the bug.


Note You need to log in before you can comment on or make changes to this bug.