Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting pki-tomcatd Service Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
IPA thinks its working, and all of the ancillary services (named, krb5kdc, ldap are all working). the IPA UI doesn't work (you can access the login screen, but it fails trying to login with the above error), etc.. On Tue, Mar 3, 2020 at 11:38 AM Rob Crittenden <[email protected]> wrote: > None via FreeIPA-users wrote: > > So, my IPA server rebooted last night (from dnf automatic updates -- > Fedora Server 31) > > > > When it came back, IPA basically is unusable, since pretty much every > action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local > issuer certificate (_ssl.c:1076)'))) > > > > I think this is because the contents of /etc/httpd/alias/ are probably > corrupted somehow (the only file there is ipasession.key) > > > > certutil -L -d /etc/httpd/alias/ results in: certutil: function failed: > SEC_ERROR_BAD_DATABASE: security library: bad database. > > > > Any help would be useful! Thank you :) > > IPA doesn't use mod_nss in Fedora any more so it's expected that there > is no cert database. > > Run ipactl start to see what is going on. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
