[Freeipa-users] CA_UNREACHABLE

Johannes Beichter via FreeIPA-users Sun, 09 Jan 2022 12:39:41 -0800

Hi, I'm having trouble with certificate renewal for a web server:

[admin@somehost ~]$ sudo ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20200102214804':
        status: CA_UNREACHABLE
        ca-error: Server at https://ipaserver.somedomain.local/ipa/xml failed 
request, will retry: 4016 (RPC failed at server.  Failed to authenticate to CA 
REST API).
        stuck: no
        key pair storage: type=FILE,location='/etc/ssl/certs/server.key'
        certificate: type=FILE,location='/etc/ssl/certs/server.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=SOMEDOMAIN.LOCAL
        subject: CN=somehost.somedomain.local,O=SOMEDOMAIN.LOCAL
        expires: 2022-01-02 21:48:05 UTC
        dns: somehost.somedomain.local
        principal name: HTTP/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes


With the help of the blog post at 
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
 I found this in the Apache logs of ipaserver:

access_log:
192.168.0.47 - - [09/Jan/2022:21:07:59 +0100] "POST /ipa/xml HTTP/1.1" 401 2719
192.168.0.122 - - [09/Jan/2022:21:07:59 +0100] "GET /ca/rest/account/login 
HTTP/1.1" 403 631
192.168.0.47 - host/[email protected] 
[09/Jan/2022:21:07:59 +0100] "POST /ipa/xml HTTP/1.1" 200 312

error_log:
[Sun Jan 09 21:07:59.507131 2022] [ssl:error] [pid 3442:tid 140654399186688] 
[client 192.168.0.122:60104] AH: verify client post handshake
[Sun Jan 09 21:07:59.511918 2022] [wsgi:error] [pid 3437:tid 140654497466112] 
[remote 192.168.0.47:57158] ipa: INFO: [xmlserver] 
host/[email protected]: cert_request('...', 
principal='HTTP/[email protected]', add=True, 
version='2.51'): RemoteRetrieveError

What is the problem here or how can I find out?

I ran `ipa-certupdate` on both hosts but it didn't help.

Thanks for any support,
Johannes
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] CA_UNREACHABLE

Reply via email to