Hi Justin,

The ra-agent.pem is the same certificate on all servers/replicas. When everything works properly, it gets renewed on the renewal master, then it is uploaded in LDAP and the other replicas can download it from LDAP.
Do you have multiple servers? If yes and if the ra-agent.pem has been renewed on another server, you can simply copy the ra-agent.pem file from the other server to the failing one.
If you have multiple servers but the ra-agent.pem is expired on all of them, you will have to fix the renewal master first. To find which server is the renewal master:
# kinit admin
Password for admin@IPA.TEST:
# ipa config-show | grep renewal
  IPA CA renewal master: server.ipa.test
#

Then to fix the renewal master, you can use ipa-cert-fix command.

HTH,
flo

On Tue, May 9, 2023 at 2:33 AM Justin Sanderson via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Found the culprit.... /var/lib/ipa/ra-agent.pem


# openssl -in /var/lib/ipa/ra-agent.pem -noout -text |grep "Not After"

The cert expired 4 days ago. ... whats proper "IPA" way to recreate
cert. I could do it with openssl but idd if there's "hooks" to other
components that i need to update.


On 5/7/2023 10:08 AM, Rob Crittenden wrote:
> Justin Sanderson via FreeIPA-users wrote:
>> Ok. So once again my IPA server is having cert issues. Everything seems
>> to be working except when I am in the web interface and goto
>> "Authentication" --> "Certificates" --> Click any of the certs in the list.
>>
>>
>> ---- I get this error from the browser.------
>>
>> IPA ERROR 907: NetworkError
>>
>> cannot connect to
>> https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' :
>> SSL_HANDSHAKE_FAILURE
>>
>>
>> # getcert list |grep expires  --> everything checks out ok. no expiry on
>> any of the certs
>>
>>
>> --- checked all the certs on there "Not Before" and "Not After" dates
>> for the following NSS db's
>>
>> certutil -L -d /etc/pki/pki-tomcat/alias
>>
>> certutil -L -d /etc/httpd/alias
>>
>>
>>
>>   ---- In /var/log/httpd/error_log, I do see some errors: ----
>>
>> Bad Remote Server Certificate -8181
>>
>> SSL Library Error: -8181 Certificate has expired
>>
>>
>> I know it's an expired cert obviously from httpd errorlog but where is
>> the darn thing. I thought i checked all the places and looked ok but I'm
>> definitely missing something....
>>
>>
>> could use some advice.
> I'd simplify by trying on the command line: ipa cert-show 1
>
> This will exercise the basic connectivity and will be less noisy than
> using the UI. I'd run the same command on all servers you have in case
> only one is affected.
>
> As for the TLS error in the httpd.log its hard to say without broader
> context. Is there an access log entry at the same time which may correlate?
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue