I tried the "ipa cert-show 1" from the CLI and got the same error:
https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' :
SSL_HANDSHAKE_FAILURE
I do have a corresponding entry in the access_log for apache
"POST /ca/agent/ca/displayBySerial HTTP/1.1" 403 229
The apache error_log just re-iterates the same error as before which is
the same time the access_log is updated:
Bad Remote Server Certificate -8181
SSL Library Error: -8181 Certificate has expired
Still looking....
On 5/7/2023 10:08 AM, Rob Crittenden wrote:
> Justin Sanderson via FreeIPA-users wrote:
>> Ok. So once again my IPA server is having cert issues. Everything seems
>> to be working except when I am in the web interface and goto
>> "Authentication" --> "Certificates" --> Click any of
the certs in the list.
>>
>>
>> ---- I get this error from the browser.------
>>
>> IPA ERROR 907: NetworkError
>>
>> cannot connect to
>>
https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' :
>> SSL_HANDSHAKE_FAILURE
>>
>>
>> # getcert list |grep expires --> everything checks out ok. no expiry on
>> any of the certs
>>
>>
>> --- checked all the certs on there "Not Before" and "Not
After" dates
>> for the following NSS db's
>>
>> certutil -L -d /etc/pki/pki-tomcat/alias
>>
>> certutil -L -d /etc/httpd/alias
>>
>>
>>
>> ---- In /var/log/httpd/error_log, I do see some errors: ----
>>
>> Bad Remote Server Certificate -8181
>>
>> SSL Library Error: -8181 Certificate has expired
>>
>>
>> I know it's an expired cert obviously from httpd errorlog but where is
>> the darn thing. I thought i checked all the places and looked ok but I'm
>> definitely missing something....
>>
>>
>> could use some advice.
> I'd simplify by trying on the command line: ipa cert-show 1
>
> This will exercise the basic connectivity and will be less noisy than
> using the UI. I'd run the same command on all servers you have in case
> only one is affected.
>
> As for the TLS error in the httpd.log its hard to say without broader
> context. Is there an access log entry at the same time which may correlate?
>
> rob
>