Hi,
I think you're hitting this issue:
https://pagure.io/freeipa/issue/7759
What is the full certificate chain of your new server cert? If the chain
contains a root CA and one or multiple subCAs, each subCA also needs to be
added using ipa-cacert-manage install.
HTH,
flo
On Wed, Oct 20, 2021 at 1:29 PM cicek adam via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Here is my ipactl status:
[root@xxx ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I think I am doing something wrong. I've made a fresh installation, then
added ca.crt by "ipa-cacert-manage -n globalsign -t C,, install
/root/ca.crt"
After this I ran ipa-certupdate and it was successful, I had no errors. So
I tought it to be safe to run ipa-server-certinstall and ran it.
As a result I get login failure in the web ui again. When I check httpd
error_log I see this:
[Wed Oct 20 14:02:17.214267 2021] [wsgi:error] [pid 20252:tid
140636607313664] [remote 10.212.238.92:52437] ipa: INFO: 401
Unauthorized: HTTPSConnectionPool(host='xxx', port=443): Max retries
exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1,
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:897)'),))
After I saw this, I tried ipa-certupdate again and it gave the "cannot
connect to 'any of the configured servers’:" error again.
What am I doing wrong? I did ipactl restart after ipa-server-certinstall.
I think I am missing some basics :/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure