Oh I see. I misunderstood the result.
]# ipa pkinit-status
-----------------
4 servers matched
-----------------
Server name: server1.dom.ain
PKINIT status: enabled
Server name: server2.dom.ain
PKINIT status: enabled
Server name: server3.dom.ain
PKINIT status: enabled
Server name: server4.dom.ain
PKINIT status: enabled
----------------------------
Number of entries returned 4
----------------------------
And on all four:
# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
And a new thing today -- none of my clients are able to enroll or unenroll to/from IPA
showing the same error. I think it happened after running the script generated by
ipa-advise config-server-for-smart-card-auth
Authentication > Certificate Authorities is showing:
cannot connect to 'https://server[X].dom.ain:443/ca/rest/account/login': [SSL:
SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)
907 RPC failed at server. cannot connect. Certificate issuance failed CA_UNREACHABLE. SSL:
SSL_HANDSHAKE_FAILURE.
I believe the only change was:
certutil -M -n 'Server-Cert' -d "/etc/httpd/alias" -f
/etc/httpd/alias/pwdfile.txt -t "Pu,u,u"?
The output is:
# certutil -d "/etc/httpd/alias" -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
DSTRootCAX3 C,,
ABC Operational CA 0 CT,C,C
Server-Cert Pu,u,u
DOMAIN IPA CA CT,C,C
letsencryptx3 C,,
ABC2 CA CT,C,C
ABC3 CA CT,C,C
This was working until very recently. I wonder if this is related to whatever is causing
the PKINIT failure.