Johannes Beichter via FreeIPA-users wrote: > Hi, I'm having trouble with certificate renewal for a web server: > > [admin@somehost ~]$ sudo ipa-getcert list > Number of certificates and requests being tracked: 1. > Request ID '20200102214804': > status: CA_UNREACHABLE > ca-error: Server at https://ipaserver.somedomain.local/ipa/xml failed > request, will retry: 4016 (RPC failed at server. Failed to authenticate to > CA REST API). > stuck: no > key pair storage: type=FILE,location='/etc/ssl/certs/server.key' > certificate: type=FILE,location='/etc/ssl/certs/server.crt' > CA: IPA > issuer: CN=Certificate Authority,O=SOMEDOMAIN.LOCAL > subject: CN=somehost.somedomain.local,O=SOMEDOMAIN.LOCAL > expires: 2022-01-02 21:48:05 UTC > dns: somehost.somedomain.local > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > With the help of the blog post at > https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ > I found this in the Apache logs of ipaserver: > > access_log: > 192.168.0.47 - - [09/Jan/2022:21:07:59 +0100] "POST /ipa/xml HTTP/1.1" 401 > 2719 > 192.168.0.122 - - [09/Jan/2022:21:07:59 +0100] "GET /ca/rest/account/login > HTTP/1.1" 403 631 > 192.168.0.47 - host/[email protected] > [09/Jan/2022:21:07:59 +0100] "POST /ipa/xml HTTP/1.1" 200 312 > > error_log: > [Sun Jan 09 21:07:59.507131 2022] [ssl:error] [pid 3442:tid 140654399186688] > [client 192.168.0.122:60104] AH: verify client post handshake > [Sun Jan 09 21:07:59.511918 2022] [wsgi:error] [pid 3437:tid 140654497466112] > [remote 192.168.0.47:57158] ipa: INFO: [xmlserver] > host/[email protected]: cert_request('...', > principal='HTTP/[email protected]', add=True, > version='2.51'): RemoteRetrieveError > > What is the problem here or how can I find out? > > I ran `ipa-certupdate` on both hosts but it didn't help.
Can you tell us what version you're running on what distro? Do any cert operations work? e.g. ipa cert-show 1. Are all the certs on the CA server valid? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
