Here is my ipactl status:

[root@xxx ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

I think I am doing something wrong. I've made a fresh installation, then added ca.crt by "ipa-cacert-manage -n globalsign -t C,, install /root/ca.crt"

After this I ran ipa-certupdate and it was successful, I had no errors. So I tought it to be safe to run ipa-server-certinstall and ran it.
As a result I get  login failure in the web ui again. When I check httpd error_log I see this:

[Wed Oct 20 14:02:17.214267 2021] [wsgi:error] [pid 20252:tid 140636607313664] [remote 10.212.238.92:52437] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='xxx', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

After I saw this, I tried ipa-certupdate again and it gave the "cannot connect to 'any of the configured servers’:" error again.

What am I doing wrong? I did ipactl restart after ipa-server-certinstall.

I think I am missing some basics :/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure