[root@utility certs]# ipa-certupdate cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) The ipa-certupdate command failed.
Sort of a bad catch 22 I guess? ________________________________ From: Rob Crittenden <[email protected]> Sent: Friday, September 10, 2021 9:09 AM To: Jeremy Tourville <[email protected]>; FreeIPA users list <[email protected]> Cc: Florence Renaud <[email protected]> Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates) Jeremy Tourville wrote: > Now I understand how to test the cert(s) after re-reading your comments > Rob and Flo 🙂 > > [root@utility certs]# openssl verify -verbose -show_chain -CAfile > /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt > /var/lib/ipa/certs/httpd.crt: OK > Chain: > depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted) > depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority I'd try running ipa-certupdate. I have the feeling some of the system-wide certificates are out-of-sync. rob > > > ------------------------------------------------------------------------ > *From:* Jeremy Tourville <[email protected]> > *Sent:* Thursday, September 9, 2021 5:45 PM > *To:* FreeIPA users list <[email protected]> > *Cc:* Florence Renaud <[email protected]>; Rob Crittenden <[email protected]> > *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after > running ipa-dns-install? (Was - Unable to start directory server after > updates) > > Oh wait!!! Which set of certs do I need to test against for my > certificate chain? > I realized I didn't include the proper path when testing. It should be > something like- > > # openssl verify -verbose -show_chain -CAfile <path to root or > intermediate cert> /etc/ipa/ca.crt > # openssl verify -verbose -show_chain -CAfile <path to root or > intermediate cert> /var/lib/ipa/certs/httpd.crt > > This would give you output (presuming you are using the correct set of > certs) > /etc/ipa/ca.crt: OK > /var/lib/ipa/certs/httpd.crt: OK > > Which path contains the intermediate or root CA certs I need to test > against? > > [root@utility ~]# ls -la | find / -name *.crt > /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt > /etc/pki/ca-trust/source/ca-bundle.legacy.crt > /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/ca-bundle.trust.crt > /etc/pki/tls/certs/localhost.crt > /etc/pki/pki-tomcat/alias/ca.crt > /etc/ipa/ca.crt > /etc/dirsrv/ssca/ca.crt > /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt > /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt > /var/lib/ipa/certs/httpd.crt > /var/kerberos/krb5kdc/kdc.crt > /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt > /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt > /usr/share/ipa/html/ca.crt > > > ------------------------------------------------------------------------ > *From:* Jeremy Tourville <[email protected]> > *Sent:* Thursday, September 9, 2021 3:13 PM > *To:* FreeIPA users list <[email protected]> > *Cc:* Florence Renaud <[email protected]>; Rob Crittenden <[email protected]> > *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after > running ipa-dns-install? (Was - Unable to start directory server after > updates) > >>>>It isn't complaining that the certificate isn't valid, it's complaining > that it isn't trusted. > Thanksfor pointing out my mistake. I'm wearing some egg on my face. I > was thinking about it wrong at the time of my reply. > > I attempted to verify trust- > [root@utility ipa]# openssl verify -verbose -show_chain -CAfile > /etc/ipa/ca.crt > ^C > [root@utility ipa]# openssl verify -verbose -show_chain -CAfile > /var/lib/ipa/certs/httpd.crt > ^C > > As you can see, no output, so yeah, they are not trusted. > >>>Where did httpd.crt come from/what issuer? > I recall not using a 3rd party CA. The certs were just self-signed when > the ipa server was initially built. I never did replace the certs as it > wasn't required for our situation. > > Next steps I guess would be to generate some new certs? Thoughts? > > ------------------------------------------------------------------------ > *From:* Rob Crittenden <[email protected]> > *Sent:* Thursday, September 9, 2021 12:53 PM > *To:* FreeIPA users list <[email protected]> > *Cc:* Florence Renaud <[email protected]>; Jeremy Tourville > <[email protected]> > *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after > running ipa-dns-install? (Was - Unable to start directory server after > updates) > > Jeremy Tourville via FreeIPA-users wrote: >> /var/lib/ipa/certs/httpd.crt >> looks valid and has a 3 year validity date starting from Nov 23, 2020 >> >> /etc/ipa/ca.crt >> looks valid and has a 20 year validity date starting from Nov 23, 2020 > > It isn't complaining that the certificate isn't valid, it's complaining > that it isn't trusted. You also need to look at the signer and ensure > that the system trusts it globally. Where did httpd.crt come from/what > issuer? > > You might try running: > > openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt > /var/lib/ipa/certs/httpd.crt > > See the default.conf(5) man page for a description of default.conf, > server.conf, etc. In this case server is a context so the configuration > only applies there. > > rob > >> >> >> ------------------------------------------------------------------------ >> *From:* Florence Renaud <[email protected]> >> *Sent:* Tuesday, September 7, 2021 11:38 AM >> *To:* Jeremy Tourville <[email protected]> >> *Cc:* FreeIPA users list <[email protected]> >> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >> running ipa-dns-install? (Was - Unable to start directory server after >> updates) >> >> Hi Jeremy, >> >> to enable debugging you can simply create /etc/ipa/server.conf if the >> file does not exist: >> # cat /etc/ipa/server.conf >> [global] >> debug=True >> # systemctl restart httpd >> >> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can >> examine its content with >> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt >> If the IPA deployment includes an embedded CA, the CA that issued the >> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with >> openssl command. >> >> flo >> >> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville >> <[email protected] <mailto:[email protected]>> wrote: >> >> I think I see the issue but I am unsure what to do to fix it. See >> below. >> >> To answer your question, yes I did accept the security exception. >> >> Also, I don't see a server.conf file at /etc/ipa so that I may >> enable debugging. What can you suggest for this issue? >> >> >> [root@utility ~]# ipactl status >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> named Service: RUNNING >> httpd Service: RUNNING >> ipa-custodia Service: RUNNING >> pki-tomcatd Service: RUNNING >> smb Service: RUNNING >> winbind Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa-ods-exporter Service: STOPPED >> ods-enforcerd Service: RUNNING >> ipa-dnskeysyncd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> >> [root@utility ~]# kinit admin >> Password for [email protected] <mailto:[email protected]>: >> >> [root@utility ~]# klist >> Ticket cache: KCM:0:43616 >> Default principal: [email protected] >> <mailto:[email protected]> >> >> Valid starting Expires Service principal >> 09/07/2021 10:59:23 09/08/2021 10:09:04 >> krbtgt/[email protected] >> <mailto:[email protected]> >> >> [root@utility ~]# ipa config-show >> ipa: ERROR: cannot connect to >> 'https://utility.idm.nac-issa.org/ipa/json': [SSL: >> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) >> >> >> ------------------------------------------------------------------------ >> *From:* Florence Renaud <[email protected] <mailto:[email protected]>> >> *Sent:* Tuesday, September 7, 2021 10:47 AM >> *To:* FreeIPA users list <[email protected] >> <mailto:[email protected]>> >> *Cc:* Jeremy Tourville <[email protected] >> <mailto:[email protected]>> >> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken >> after running ipa-dns-install? (Was - Unable to start directory >> server after updates) >> >> Hi Jeremy, >> Did you accept the security exception displayed by the browser (I'm >> trying to eliminate obvious issues)? >> If nothing is displayed, can you check if ipa command-line is >> working as expected (for instance do "kinit admin; ipa config-show")? >> You may want to enable debug logs (add debug=True to the [global] >> section of /etc/ipa/server.conf and restart httpd service), retry >> WebUI authentication and check the generated logs in >> /var/log/http/error_log >> >> flo >> >> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> OK, >> Why don't I see anything on the initial login page? >> All I see is the URL and the fact that the certificate is not >> trusted. The certificate is not expired yet. Not until Nov 2021. >> The login in page is mostly solid white with no login or >> password field. >> _______________________________________________ >> FreeIPA-users mailing list -- >> [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to >> [email protected] >> <mailto:[email protected]> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
