[Freeipa-users] Re: Trouble with (letsencrypt) certs after updating IPA

Thu, 25 Jul 2024 13:23:03 -0700

Thank you Rob, I was already tweaking with new letsencrypt certificates, but to make it work I had to manually add two of them (r10 and r11) to /etc/ipa/ca.crt (simply paste, then restart httpd). I did this trick only on first server, on the other two a simple setup-le.sh (newer patched version, including latest certs) did the magic. 

Back on business!

Thank you again.

On 25/07/2024 21:12, Rob Crittenden via FreeIPA-users wrote:

Giulio Casella via FreeIPA-users wrote:

Hi,
I'm having trouble after this morning update: I had a setup (based on
RHEL 9) with 3 IPA servers, with certificate generated by letsencrypt
(https://github.com/freeipa/freeipa-letsencrypt).
After updating I noticed the web UI was using self signed CA, so I run
setup-le.sh. The certificates were correctly regenerated, and the
browser was happy.
But when I try to login it fails, and in httpd error log I find:

[Thu Jul 25 18:20:53.773180 2024] [wsgi:error] [pid 15636:tid 15924]
[remote 10.10.10.10:38566] ipa: INFO: 401 Unauthorized:
HTTPSConnectionPool(host='dc1.example.com', port=443): Max retries
exceeded with url: /ipa/session/cookie (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1129)')))

Trying to rerun setup-le.sh now the "ipa-certupdate" part fails with
same error:

cannot connect to 'any of the configured servers':
https://dc1.example.com/ipa/json, https://dc3.example.com/ipa/json,
https://dc2.example.com/ipa/json

It seems some old certificate (ca or server) is still inside IPA.

Other services (NFS, ssh to ipa clients, ...) seems to work. I hope it's
not only the sss cache!


See https://github.com/freeipa/freeipa-letsencrypt/issues/50

rob



--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to