SRM via FreeIPA-users wrote: > Thanks for your reply. Here is the output of "kinit admin; ipa cert-show 1": > ipa: DEBUG: failed to find session_cookie in persistent storage for > principal '[email protected]' > ipa: INFO: trying https://login1.ourorg.com/ipa/json > ipa: DEBUG: Created connection context.rpcclient_140248688553680 > ipa: INFO: [try 1]: Forwarding 'schema' to json server > 'https://login1.ourorg.com/ipa/json' > ipa: DEBUG: HTTP connection destroyed (login1.ourorg.com) > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 694, in > single_request > h = self.make_connection(host) > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 573, in > make_connection > conn.connect() > File "/usr/lib64/python2.7/httplib.py", line 1275, in connect > server_hostname=sni_hostname) > File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket > _context=self) > File "/usr/lib64/python2.7/ssl.py", line 609, in __init__ > self.do_handshake() > File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake > self._sslobj.do_handshake() > SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:618) > ipa: DEBUG: Destroyed connection context.rpcclient_140248688553680 > ipa: ERROR: cannot connect to 'https://login1.ourorg.com/ipa/json': > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > And output of "ipactl status", note as I mentioned in the first post > pki-tomcatd service was failing even before certificates got expired. > > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful
We need to start by getting the CA running properly while back in time when the certs are still valid. There is no way to re-issue the certificates without it. Can you share the logging and output from your verification of the pki subsystem certificate? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
