Giulio Casella via FreeIPA-users wrote: > Hi, > I'm having trouble after this morning update: I had a setup (based on > RHEL 9) with 3 IPA servers, with certificate generated by letsencrypt > (https://github.com/freeipa/freeipa-letsencrypt). > After updating I noticed the web UI was using self signed CA, so I run > setup-le.sh. The certificates were correctly regenerated, and the > browser was happy. > But when I try to login it fails, and in httpd error log I find: > > [Thu Jul 25 18:20:53.773180 2024] [wsgi:error] [pid 15636:tid 15924] > [remote 10.10.10.10:38566] ipa: INFO: 401 Unauthorized: > HTTPSConnectionPool(host='dc1.example.com', port=443): Max retries > exceeded with url: /ipa/session/cookie (Caused by > SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] > certificate verify failed: unable to get local issuer certificate > (_ssl.c:1129)'))) > > Trying to rerun setup-le.sh now the "ipa-certupdate" part fails with > same error: > > cannot connect to 'any of the configured servers': > https://dc1.example.com/ipa/json, https://dc3.example.com/ipa/json, > https://dc2.example.com/ipa/json > > It seems some old certificate (ca or server) is still inside IPA. > > Other services (NFS, ssh to ipa clients, ...) seems to work. I hope it's > not only the sss cache!
See https://github.com/freeipa/freeipa-letsencrypt/issues/50 rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
