Rob, Apologies for the delay in response. Once I'm home, I don't have access to the information readily available to respond with. Here is the information you requested:
The version of IPA we are using is 4.6.8, rpm specifically for us is ipa-server-4.6.8-5.el7.centos.12.x86_64 and we are using CentOS 7.9 currently with plans to move to RHEL9 within the next year or so. Unfortunately, 'ipa config-show' doesn't work. It populates the same error stating "ipa: ERROR: cannot connect to 'https://ipaServer/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618). We have ~50 hosts connected via IPA. We have two IPA servers, one as a replica of the other. 'getcert list' only shows 1 certificate. It's state is "MONITORING" and seems related to kerberos. As far as I know, we don't use IPA CA-issued certificates. I recall seeing errors yesterday stating CA wasn't enabled on our servers. We have always used 3rd party CAs to my knowledge. -justen On Wed, Apr 12, 2023 at 2:42 PM Rob Crittenden <[email protected]> wrote: > Justen Long via FreeIPA-users wrote: > > Thanks in advance for your replies.. I've spent 7 hours looking through > posts here and trying everything... I'm stuck. > > > > Background: I am a System Administrator in a closed, classified > environment. Unfortunately, I cannot post logging here, but I can refer to > them as needed. > > > > I inherited this system from someone who departed the program a year or > so ago. Fast forward to today, the server certs expired yesterday. > Admittedly, I'm unfamiliar (or was) with the certificate update process for > IPA servers. On a typical server, we replace the old cert and restart the > httpd services; however, I realize this cannot work with IPA servers now. > > > > Additionally to all of this, the CA chain updated 6 months ago. > > > > I ran ipa-cacert-manage to update the CA chain. When trying to run > ipa-certupdate, I received errors for an invalid server certificate (it > expired on 11 April 2023). It simply won't connect to the web server. HTTPD > failed as well, so I had to add "NSSEnforceValidCerts off" to the nss.conf > file for HTTPD to start. Still, no dice. > > > > I've ran ipa-server-certinstall for the new cert/key as well, and it > fails saying its not trusted ("Peer's certificate issuer is not trusted > [certutil: certificate is invalid: Peer's Certificate issuer is not > recognized] Please run ipa-cacert-manage install and ipa-certupdate to > install the CA certificate.... which, as reported above, can't complete. > > > > I'm at a total loss here... and really struggling being new to all this > and trying my best to keep it afloat. Any help would be GREATLY appreciated! > > Let's gather some information first. > > What version of IPA is this, on what distribution? > > IPA designates one server to be the "renewal master" which handles the > renewals. The output of `ipa config-show` should tell you (depending on > version). That's the server you want to work on. > > How many servers in your topology and how many have a CA installed? > > Does `getcert list` show a set of 8-10 tracked certificates? What are > the states? > > You mention ipa-server-certinstall. Are you using 3rd party certificates > in addition to IPA CA-issued certificates or was that just an attempt to > get things working again? > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
