Justin Sanderson via FreeIPA-users wrote: > > Ok. So once again my IPA server is having cert issues. Everything seems > to be working except when I am in the web interface and goto > "Authentication" --> "Certificates" --> Click any of the certs in the list. > > > ---- I get this error from the browser.------ > > IPA ERROR 907: NetworkError > > cannot connect to > https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' : > SSL_HANDSHAKE_FAILURE > > > # getcert list |grep expires --> everything checks out ok. no expiry on > any of the certs > > > --- checked all the certs on there "Not Before" and "Not After" dates > for the following NSS db's > > certutil -L -d /etc/pki/pki-tomcat/alias > > certutil -L -d /etc/httpd/alias > > > > ---- In /var/log/httpd/error_log, I do see some errors: ---- > > Bad Remote Server Certificate -8181 > > SSL Library Error: -8181 Certificate has expired > > > I know it's an expired cert obviously from httpd errorlog but where is > the darn thing. I thought i checked all the places and looked ok but I'm > definitely missing something.... > > > could use some advice.
I'd simplify by trying on the command line: ipa cert-show 1 This will exercise the basic connectivity and will be less noisy than using the UI. I'd run the same command on all servers you have in case only one is affected. As for the TLS error in the httpd.log its hard to say without broader context. Is there an access log entry at the same time which may correlate? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
