I'm getting closer... it's not recognizing my admin password for IPA, or for my personal account with admin rights now.. but no more SSL errors.. just can't run ipa-certupdate without the proper kerberos creds..
On Thu, Apr 13, 2023 at 12:51 PM Justen Long <[email protected]> wrote: > Following up, I see the date command just changed it momentarily... using > timedatectl and will report back. > > On Thu, Apr 13, 2023 at 12:31 PM Justen Long <[email protected]> > wrote: > >> Rob, >> >> I entered 'date --date="7 April 2023", verified it updated the system >> time appropriately. Restarted dirsrv, ipa-custodia, ipa-otpd, httpd.. >> krb5kdc and kadmin failed. Still, tried to send ipa cert-update, and it >> popped the same SSL Certificate Verify Failed error. >> >> On Thu, Apr 13, 2023 at 11:32 AM Rob Crittenden <[email protected]> >> wrote: >> >>> Justen Long wrote: >>> > Additionally, is there any way to force the CA cert update to be >>> > recognized? When I run it to update the CA chain, everything is >>> > verified.. but /etc/ipa/ca.crt didn't reflect the change.. so I >>> manually >>> > populated it by copying over the guts of the CA bundle to the >>> > /etc/ipa/ca.crt before trying to install the new server cert and it >>> > still doesn't recognize it as trusted although the issuer is the same >>> > and within the CA bundle. >>> >>> This is going to sound weird, but I'd just go back in time to April 10, >>> restart all services but ntp (which will reset the time) and then the >>> commands should work. Once the certs are updated and working, return to >>> present time. >>> >>> rob >>> >>> > >>> > On Thu, Apr 13, 2023 at 6:20 AM Justen Long <[email protected] >>> > <mailto:[email protected]>> wrote: >>> > >>> > Rob, >>> > >>> > Apologies for the delay in response. Once I'm home, I don't have >>> > access to the information readily available to respond with. Here >>> is >>> > the information you requested: >>> > >>> > The version of IPA we are using is 4.6.8, rpm specifically for us >>> is >>> > ipa-server-4.6.8-5.el7.centos.12.x86_64 and we are using CentOS 7.9 >>> > currently with plans to move to RHEL9 within the next year or so. >>> > >>> > Unfortunately, 'ipa config-show' doesn't work. It populates the >>> same >>> > error stating "ipa: ERROR: cannot connect to >>> > 'https://ipaServer/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] >>> > certificate verify failed (_ssl.c:618). >>> >>> The smack heard around the world was my head hitting my desk. Of course >>> this command failed. >>> >>> > >>> > We have ~50 hosts connected via IPA. We have two IPA servers, one >>> as >>> > a replica of the other. >>> > >>> > 'getcert list' only shows 1 certificate. It's state is "MONITORING" >>> > and seems related to kerberos. >>> > >>> > As far as I know, we don't use IPA CA-issued certificates. I recall >>> > seeing errors yesterday stating CA wasn't enabled on our servers. >>> We >>> > have always used 3rd party CAs to my knowledge. >>> > >>> > -justen >>> > >>> > On Wed, Apr 12, 2023 at 2:42 PM Rob Crittenden < >>> [email protected] >>> > <mailto:[email protected]>> wrote: >>> > >>> > Justen Long via FreeIPA-users wrote: >>> > > Thanks in advance for your replies.. I've spent 7 hours >>> > looking through posts here and trying everything... I'm stuck. >>> > > >>> > > Background: I am a System Administrator in a closed, >>> > classified environment. Unfortunately, I cannot post logging >>> > here, but I can refer to them as needed. >>> > > >>> > > I inherited this system from someone who departed the program >>> > a year or so ago. Fast forward to today, the server certs >>> > expired yesterday. Admittedly, I'm unfamiliar (or was) with the >>> > certificate update process for IPA servers. On a typical >>> server, >>> > we replace the old cert and restart the httpd services; >>> however, >>> > I realize this cannot work with IPA servers now. >>> > > >>> > > Additionally to all of this, the CA chain updated 6 months >>> ago. >>> > > >>> > > I ran ipa-cacert-manage to update the CA chain. When trying >>> to >>> > run ipa-certupdate, I received errors for an invalid server >>> > certificate (it expired on 11 April 2023). It simply won't >>> > connect to the web server. HTTPD failed as well, so I had to >>> add >>> > "NSSEnforceValidCerts off" to the nss.conf file for HTTPD to >>> > start. Still, no dice. >>> > > >>> > > I've ran ipa-server-certinstall for the new cert/key as well, >>> > and it fails saying its not trusted ("Peer's certificate issuer >>> > is not trusted [certutil: certificate is invalid: Peer's >>> > Certificate issuer is not recognized] Please run >>> > ipa-cacert-manage install and ipa-certupdate to install the CA >>> > certificate.... which, as reported above, can't complete. >>> > > >>> > > I'm at a total loss here... and really struggling being new >>> to >>> > all this and trying my best to keep it afloat. Any help would >>> be >>> > GREATLY appreciated! >>> > >>> > Let's gather some information first. >>> > >>> > What version of IPA is this, on what distribution? >>> > >>> > IPA designates one server to be the "renewal master" which >>> > handles the >>> > renewals. The output of `ipa config-show` should tell you >>> > (depending on >>> > version). That's the server you want to work on. >>> > >>> > How many servers in your topology and how many have a CA >>> installed? >>> > >>> > Does `getcert list` show a set of 8-10 tracked certificates? >>> > What are >>> > the states? >>> > >>> > You mention ipa-server-certinstall. Are you using 3rd party >>> > certificates >>> > in addition to IPA CA-issued certificates or was that just an >>> > attempt to >>> > get things working again? >>> > >>> > rob >>> > >>> >>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
