Could a ssl cert cause this issue? References: #1 https://pagure.io/freeipa/issue/7378 user comments - hcoin commented 6 months ago >>>"This issue is back as of 3/2021. Freeipa 4.9.2-4.fc33 SELinux=permissive as >>>well"
Though my system is centos, freeipa version is the same and selinux is permissive #2 https://access.redhat.com/solutions/5527751 Observations: 1. Cert on web page UI is not trusted. 2. Web page does not fully load. 3. My system does contain the java version listed in the kb # rpm -q java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64 4. Trying to uninstall/disable dnssec master producess ssl error [root@utility ~]# ipa-dns-install --disable-dnssec-master The log file for this installation can be found in /var/log/ipaserver-dns-install.log ============================================================================== This program will setup DNS for the IPA Server. This includes: * Configure DNS (bind) * Configure SoftHSM (required by DNSSEC) * Configure ipa-dnskeysyncd (required by DNSSEC) * Unconfigure ipa-ods-exporter * Unconfigure OpenDNSSEC No new zones will be signed without DNSSEC key master IPA server. Please copy file from /var/lib/ipa/ipa-kasp.db.backup after uninstallation. This file is needed on new DNSSEC key master server NOTE: DNSSEC zone signing is not enabled by default To accept the default shown in brackets, press the Enter key. Do you want to disable current DNSSEC key master? [no]: yes Do you want to configure DNS forwarders? [yes]: Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1 Do you want to configure these servers as DNS forwarders? [yes]: no Enter an IP address for a DNS forwarder, or press Enter to skip: 172.30.50.10 DNS forwarder 172.30.50.10 added. You may add another. Enter an IP address for a DNS forwarder, or press Enter to skip: DNS forwarders: 172.30.50.10 Checking DNS forwarders, please wait ... Do you want to search for missing reverse zones? [yes]: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Unconfiguring ods-enforcerd Exporting DNSSEC data before uninstallation Unconfiguring ipa-ods-exporter Unexpected error - see /var/log/ipaserver-dns-install.log for details: NetworkError: cannot connect to 'https://utility.idm.nac-issa.org:443/ca/rest/certs/search?size=2147483647': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
