On Срд, 12 чэр 2024, Yavor Marinov wrote:
Hey Alex,
thanks for your reply, I've downloaded the new Letsencrypt certs, installed
them with ipa-cacert-manage install but can't update with ipa-certupdate as
it gives
Connection to https://login.example.net/ipa/json failed with [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1129)
Again any idea how to proceed further with this will be appreciated.
Look at /etc/httpd/conf.d/ssl.conf, it should have line like
SSLCACertificateFile /etc/ipa/ca.crt
inside the default vhost.
That is the file that will be eventually updated by the ipa-certupdate.
What you could do is to add your new Let's Encrypt chain to this file,
restart httpd, and try again.
Please make sure to back the file first so that you can get back to it
if needed.
On Wed, Jun 12, 2024 at 12:07 PM Alexander Bokovoy <[email protected]>
wrote:
On Срд, 12 чэр 2024, Yavor Marinov via FreeIPA-users wrote:
>Hello all,
>
>I've tried to look over the list for the problem I have, but it seems I
>can't find anything related. We are using FreeIPA 4.11 on Alma9 with
>Letsencrypt certificates. Until now I didn't had issues renewing
>certificates (using https://github.com/freeipa/freeipa-letsencrypt for
>renewing certificates) but since last night's renewal I can't get in to
>login into webui and can't enroll any new resources. The error i got from
>webui is standart Login failed due to an unknown reason and there are no
>errors in pki-tomcat. In apache's error logs the following error is
>produced:
>
>[Wed Jun 12 13:58:11.298021 2024] [wsgi:error] [pid 211427:tid 211669]
>[remote 91.239.13.253:34362] ipa: INFO: 401 Unauthorized:
>HTTPSConnectionPool(host='login.example.net', port=443): Max retries
>exceeded with url: /ipa/session/cookie (Caused by
>SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
>certificate verify failed: unable to get local issuer certificate
>(_ssl.c:1129)')))
>
>Trying with curl to reach some of the certificates with
>
>curl https://login.example.net:443/ca/rest/certs/1
>
>returns error "unable to get local issuer certificate". However, reaching
>the IPA webui using Chrome doesn't return an error "ERROR_UNKNOWN_ISSUER"
>but FireFox reports that the certificate is unknown.
This is not about IPA CA, this is about IPA web server not knowning
about new Let's Encrypt's CA chain which changed recently.
See https://github.com/freeipa/freeipa-letsencrypt/pull/49.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
