Hello all, I've tried to look over the list for the problem I have, but it seems I can't find anything related. We are using FreeIPA 4.11 on Alma9 with Letsencrypt certificates. Until now I didn't had issues renewing certificates (using https://github.com/freeipa/freeipa-letsencrypt for renewing certificates) but since last night's renewal I can't get in to login into webui and can't enroll any new resources. The error i got from webui is standart Login failed due to an unknown reason and there are no errors in pki-tomcat. In apache's error logs the following error is produced:
[Wed Jun 12 13:58:11.298021 2024] [wsgi:error] [pid 211427:tid 211669] [remote 91.239.13.253:34362] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='login.example.net', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))) Trying with curl to reach some of the certificates with curl https://login.example.net:443/ca/rest/certs/1 returns error "unable to get local issuer certificate". However, reaching the IPA webui using Chrome doesn't return an error "ERROR_UNKNOWN_ISSUER" but FireFox reports that the certificate is unknown. I know this is a trivial problem, but since I'm using letsencrypt I'm a bit worried since this is the first time having issues with certificates. The same problem is present on our replica. Any help would be much appreciated.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
