ipa cert-find command and the respective Certificates page in Web UI does not work if the IPA CA server was upgraded from Dogtag 9 solution to Dogtag 10 solution. This can happen for example when IPA on Fedora 17 is upgraded to Fedora 18:
ipa cert-find
# ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
It seems that the pki-ca instance upgraded from version 9 to 10 does not have the REST API interface even when I target it to the right port which is different from pure Dogtag 10 :
# pki cert-find RuntimeException: org.apache.http.conn.HttpHostConnectException: Connection to http://localhost:8080 refused # pki -h `hostname` -p 9180 -v cert-find Command: cert-find Server URI: http://vm-022.idm.lab.bos.redhat.com:9180/ca HTTP request: POST /ca/rest/certs/search HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Content-Length: 593 Content-Type: application/xml Host: vm-022.idm.lab.bos.redhat.com:9180 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.1 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 5723 Date: Thu, 04 Apr 2013 07:26:31 GMT org.jboss.resteasy.client.ClientResponseFailure: Error status 404 Not Found returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:523) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:514) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:508) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:38) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:120) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at sun.proxy.$Proxy26.searchCerts(Unknown Source) at com.netscape.certsrv.cert.CertClient.findCerts(CertClient.java:60) at com.netscape.cmstools.cert.CertFindCLI.execute(CertFindCLI.java:118) at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:96) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:307) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:330)
We should probably either provide a better error message or check if the instance can be upgraded to Dogtag 10 instance with the REST API (vakwetu may know more).
This report was originally reported by amessina on #freeipa channel.
amessina
This was filed against dogtag as https://fedorahosted.org/pki/ticket/578
Plan for dogtag is to not support this. It would require a lot of invasive changes, backporting servlets, etc.
What it will do is return a 501 which we will need to catch. We will need to say that cert-find does not work against a d9 server.
The upgrade script in pki-ca-10.0.2-1 is broken. It is missing some imports so fails. The dogtag team is spinning up a new version.
The jist is:
NameError: global name 'BASE_DIR' is not defined
Fixed for me in pki-core-10.0.2-2
master: 6e2c3a4
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)
Login to comment on this ticket.