#2177 IPA cannot complete certificate operations
Closed: Fixed None Opened 12 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=761574

Description of problem:
After upgrading to ipa-server-2.1.3-9.el6.x86_64 on Dec I started receiving the
error message, "Certificate operation cannot be completed: Unable to
communicate with CMS (Unauthorized)" any time I tried to view a host in the web
UI.

This message is accompanied by the message,
"[08/Dec/2011:10:55:25][TP-Processor3]:
com.netscape.cms.servlet.filter.AgentRequestFilter:  The scheme MUST be
'https', NOT 'http'!" in /var/log/pki-ca/debug each time it occurs.

It is now impossible to view certificates issued to hosts in the Web UI. Any
host with a cert installed is impossible to delete whether via the Web UI or
CLI (same error messages.)

ipa cert-show 1 gives the same error message, "ipa: ERROR: Certificate
operation cannot be completed: Unable to communicate with CMS (Unauthorized)"

Version-Release number of selected component (if applicable):
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-client-2.1.3-9.el6.x86_64
ipa-server-selinux-2.1.3-9.el6.x86_64
libipa_hbac-python-1.5.1-66.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.1.3-9.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64

Running the following restores functionality:
yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client
ipa-admintools ipa-server-selinux

yum upgrade brings the error back.

How reproducible:
Always

Steps to Reproduce:
1. Install IPA 2.0.0-23.el6_1.2
2. Configure IPA
3. Upgrade to RHEL 6.2 / IPA 2.1.3-9.el6
4. Restart IPA

Actual results:
CMS server becomes unavailable

Expected results:
CMS server remains available.

Additional info:
I actually had 2.1.1-4.el6 installed previous to 2.1.3-9, probably as part of
the 6.2 Beta, but when I downgraded it did not look to be available any more
and I got dropped to 2.0.0-23.el6_1.2. Could be related somehow, I guess.

The problem is that we now use mod_proxy again to do SSL work because we proxy for dogtag so we need a Conflicts on mod_ssl again.

Moving to next month iteration.

The patch was reverted.

It is still fixed upstream.

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 Core Effort Remaining Work

7 years ago

Login to comment on this ticket.

Metadata