Figured it out. It's half unsupported use-case and half bug in freeipa's httpd configuration:
If the httpd instance used by freeipa also hosts other vhosts on the same IP (and those vhosts have SSL certs), then freeipa can't resolve itself. It works fine on different IP addresses though. The fix would be to add a VirtualHost just for freeipa that configures the SSL certs used by freeipa, versus just modifying the default SSL configuration On Tue, Mar 3, 2020 at 11:44 AM Justin Haygood <[email protected]> wrote: > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting httpd Service > Starting ipa-custodia Service > Starting pki-tomcatd Service > Starting ipa-otpd Service > Starting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful > > IPA thinks its working, and all of the ancillary services (named, krb5kdc, > ldap are all working). the IPA UI doesn't work (you can access the login > screen, but it fails trying to login with the above error), etc.. > > On Tue, Mar 3, 2020 at 11:38 AM Rob Crittenden <[email protected]> > wrote: > >> None via FreeIPA-users wrote: >> > So, my IPA server rebooted last night (from dnf automatic updates -- >> Fedora Server 31) >> > >> > When it came back, IPA basically is unusable, since pretty much every >> action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: >> CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local >> issuer certificate (_ssl.c:1076)'))) >> > >> > I think this is because the contents of /etc/httpd/alias/ are probably >> corrupted somehow (the only file there is ipasession.key) >> > >> > certutil -L -d /etc/httpd/alias/ results in: certutil: function failed: >> SEC_ERROR_BAD_DATABASE: security library: bad database. >> > >> > Any help would be useful! Thank you :) >> >> IPA doesn't use mod_nss in Fedora any more so it's expected that there >> is no cert database. >> >> Run ipactl start to see what is going on. >> >> rob >> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
