Hi Justin,
The ra-agent.pem is the same certificate on all servers/replicas. When
everything works properly, it gets renewed on the renewal master, then it
is uploaded in LDAP and the other replicas can download it from LDAP.
Do you have multiple servers? If yes and if the ra-agent.pem has been
renewed on another server, you can simply copy the ra-agent.pem file from
the other server to the failing one.
If you have multiple servers but the ra-agent.pem is expired on all of
them, you will have to fix the renewal master first. To find which server
is the renewal master:
# *kinit admin*
Password for admin(a)IPA.TEST:
# *ipa config-show | grep renewal*
IPA CA renewal master: server.ipa.test
#
Then to fix the renewal master, you can use *ipa-cert-fix* command.
HTH,
flo
On Tue, May 9, 2023 at 2:33 AM Justin Sanderson via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Found the culprit.... /var/lib/ipa/ra-agent.pem
# openssl -in /var/lib/ipa/ra-agent.pem -noout -text |grep "Not After"
The cert expired 4 days ago. ... whats proper "IPA" way to recreate
cert. I could do it with openssl but idd if there's "hooks" to other
components that i need to update.
On 5/7/2023 10:08 AM, Rob Crittenden wrote:
> Justin Sanderson via FreeIPA-users wrote:
>> Ok. So once again my IPA server is having cert issues. Everything seems
>> to be working except when I am in the web interface and goto
>> "Authentication" --> "Certificates" --> Click any of
the certs in the
list.
>>
>>
>> ---- I get this error from the browser.------
>>
>> IPA ERROR 907: NetworkError
>>
>> cannot connect to
>>
https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' :
>> SSL_HANDSHAKE_FAILURE
>>
>>
>> # getcert list |grep expires --> everything checks out ok. no expiry on
>> any of the certs
>>
>>
>> --- checked all the certs on there "Not Before" and "Not
After" dates
>> for the following NSS db's
>>
>> certutil -L -d /etc/pki/pki-tomcat/alias
>>
>> certutil -L -d /etc/httpd/alias
>>
>>
>>
>> ---- In /var/log/httpd/error_log, I do see some errors: ----
>>
>> Bad Remote Server Certificate -8181
>>
>> SSL Library Error: -8181 Certificate has expired
>>
>>
>> I know it's an expired cert obviously from httpd errorlog but where is
>> the darn thing. I thought i checked all the places and looked ok but I'm
>> definitely missing something....
>>
>>
>> could use some advice.
> I'd simplify by trying on the command line: ipa cert-show 1
>
> This will exercise the basic connectivity and will be less noisy than
> using the UI. I'd run the same command on all servers you have in case
> only one is affected.
>
> As for the TLS error in the httpd.log its hard to say without broader
> context. Is there an access log entry at the same time which may
correlate?
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue