Found the culprit.... /var/lib/ipa/ra-agent.pem
# openssl -in /var/lib/ipa/ra-agent.pem -noout -text |grep "Not After"
The cert expired 4 days ago. ... whats proper "IPA" way to recreate
cert. I could do it with openssl but idd if there's "hooks" to other
components that i need to update.
On 5/7/2023 10:08 AM, Rob Crittenden wrote:
> Justin Sanderson via FreeIPA-users wrote:
>> Ok. So once again my IPA server is having cert issues. Everything seems
>> to be working except when I am in the web interface and goto
>> "Authentication" --> "Certificates" --> Click any of the certs in the list.
>>
>>
>> ---- I get this error from the browser.------
>>
>> IPA ERROR 907: NetworkError
>>
>> cannot connect to
>> https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' :
>> SSL_HANDSHAKE_FAILURE
>>
>>
>> # getcert list |grep expires --> everything checks out ok. no expiry on
>> any of the certs
>>
>>
>> --- checked all the certs on there "Not Before" and "Not After" dates
>> for the following NSS db's
>>
>> certutil -L -d /etc/pki/pki-tomcat/alias
>>
>> certutil -L -d /etc/httpd/alias
>>
>>
>>
>> ---- In /var/log/httpd/error_log, I do see some errors: ----
>>
>> Bad Remote Server Certificate -8181
>>
>> SSL Library Error: -8181 Certificate has expired
>>
>>
>> I know it's an expired cert obviously from httpd errorlog but where is
>> the darn thing. I thought i checked all the places and looked ok but I'm
>> definitely missing something....
>>
>>
>> could use some advice.
> I'd simplify by trying on the command line: ipa cert-show 1
>
> This will exercise the basic connectivity and will be less noisy than
> using the UI. I'd run the same command on all servers you have in case
> only one is affected.
>
> As for the TLS error in the httpd.log its hard to say without broader
> context. Is there an access log entry at the same time which may correlate?
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue