tipex tipex via FreeIPA-users wrote: > Some other information that might be helpful... > > Running sudo ipa cert-show 1 on both machines returns the cert info in the > command line. > > But running sudo ipa-acme-manage pruning --config-show on both machines fails > with: > Failed to authenticate to CA REST API > The ipa-acme-manage command failed. > > In the web UI on the Authentication > Certificates page I could see some > certs that looked old (they contained old hostnames from years back). I > though this might be related to the errors so I manually revoked them. It got > me thinking about how to remove old certs automatically which lead me to this > page > (https://freeipa.readthedocs.io/en/latest/designs/expired_certificate_pruning.html) > which is where I found the ipa-acme-manage pruning --config-show command. >
Several others have posted similar issues recently so I'll cut and paste bits and pieces from them. I suspect that you're hitting bz2350322, https://bugzilla.redhat.com/show_bug.cgi?id=2350322 If you follow the steps from comment 3 it should allow PKI endpoints to be accessible. Two things are needed: - link to the rewrite file - <valve> in tomcat configuration file Then you can run ipactl start which should run the upgrade again. The root cause is that your CA isn't fully functional and may explain some of the healthcheck output. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue