D Trom via FreeIPA-users wrote:
If the subject isn't vague enough, perhaps I can explain in some better detail. I have IPA setup with a couple of replicas and it's been running fine for a few months; perriodic runs of ipa-healthcheck didn't show any issues. During an update of the system packages, something went wrong and the CA is now unavailable from the webui and ipa tools.
When accessing from the webui (Authentication->Certificates) I get th following error: "Certificate operation cannot be completed: Unable to communicate with CMS (403)"
From some cli tools (ipa cert-show) I get this error: "ipa: ERROR: Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)"
It appears that dogtag is working, as I can use it's toolset to query "pki ca-cert-show 0x1 --pretty" for example returns the certificate as expected so I suspect the issue lies somewhere in the API. I compared the cert which I believe to be used for pki with the following: "grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt" "certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'" So from what I've read it seems pki-tomcat should be able to access it's private key and certificate.
I also compared the cert with the one in LDAP and the two are the same. "ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate"
In digging through some old backups, I found that entries in /etc/pki/pki-tomcat/server.xml had changed, so I reset the "requiredSecret" back to an earlier value, which seemed to allow the webui to work again, at least partially as I can now get a listing from the CA in the webui though I cannot see details of any particular certificate.
Assuming I'm on the right path, is there a documented process to regenerate the server.xml file or am I chasing the wrong problem?
First, it was a most excellent idea to use the pki command to verify that the CA was alive and well!
The value of requiredSecret needs to match the value in /etc/httpd/conf.d/ipa-pki-proxy.conf in the ProxyPassMatch statements (the last argument)
The argument name in server.xml is determined by the version of tomcat. pre-9.0.31.0 uses 'requiredSecret' and afterward uses 'secret'.
There is no documented process on regenerating server.xml that I know of. But since you already did the detective work to figure out it is requiredSecret related look at your version of tomcat vs what was added in the IPA upgrader (run in rpm %post).
Note that any manual changes you make may be overwritten on the next package update.
rob