This morning I tried running ipa-server-upgrade to see if that would help. It ultimately failed, but in a different spot and with a different error:
2024-04-04T11:36:42Z DEBUG The CA status is: running 2024-04-04T11:36:42Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2024-04-04T11:36:42Z INFO [Migrating certificate profiles to LDAP] 2024-04-04T11:36:42Z DEBUG Created connection context.ldap2_140461768893264 2024-04-04T11:36:42Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-****-NET.socket from SchemaCache 2024-04-04T11:36:42Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-****-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbfcdd14098> 2024-04-04T11:36:42Z DEBUG Destroyed connection context.ldap2_140461768893264 2024-04-04T11:36:42Z DEBUG request GET https://ipa1-sea2.ipa.****.net:8443/ca/rest/account/login 2024-04-04T11:36:42Z DEBUG request body '' 2024-04-04T11:36:42Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 220, in _httplib_request conn.request(method, uri, body=request_body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 1041, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 843, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1260, in connect server_hostname=sni_hostname) File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket _context=self) File "/usr/lib64/python2.7/ssl.py", line 609, in __init__ self.do_handshake() File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:618) 2024-04-04T11:36:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2024-04-04T11:36:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2085, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1952, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 396, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1814, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1820, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1298, in __enter__ method='GET' File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 167, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 229, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2024-04-04T11:36:42Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://ipa1-sea2.ipa.****.net:8443/ca/rest/account/login': [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:618) 2024-04-04T11:36:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
Again with the 'unknown ca' message. I've confirmed that the ca.crt is the same that is listed as the caSigngingCert in /etc/pki/pki-tomcat/alias and is the one found at /etc/ipa/ca.crt. I believe my output of asn.1 for each certificate also shows all the certificates signed by the CA, so I'm not sure what certificate it's complaining about coming from an unknown CA.