Klaus Vink Slott via FreeIPA-users wrote: > Den 01/05/2019 kl. 21.48 skrev Rob Crittenden via FreeIPA-users: >> Klaus Vink Slott via FreeIPA-users wrote: >>> Have had a small FreeIPA setup running for some time, but today I was >>> unable to login at the web-gui on the master. It was possible to login at >>> the replica but if try to delete a host I get: >>> >>> cannot connect to >>> 'https://ipa.int.vink-slott.dk:443/ca/rest/certs/search?size=2147483647': >>> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877) >>> >>> Indeed if I run a getcert list -c IPA on the master, one certificate is >>> expired. >>> Request ID '20190302094604': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK >>> subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK >>> expires: 2019-04-22 15:33:08 CEST >>> dns: ipa.int.vink-slott.dk >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> >>> All other certificates is valid and status: MONITORING >>> >>> I tried different measures based on google searches and old entries on this >>> list. But all I have accomplished is to change the state to: >>> Request ID '20190302094604': >>> status: NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=FILE,location='/var/lib/ipa/private/httpd.key',pin set >>> >>> At this state I am not sure that I added the correct pin. - And why this is >>> suddenly a problem. >> >> It depends very much on what version of IPA you are running, perhaps the >> distro, and what you did to get the tracking into this state. >> > > It is freeipa-server-4.7.2-1.1.fc28.x86_64 on a fully patched Fedora 28 > > What I tried so far (rebuild from memory and bash-history): > > # ipa-getcert resubmit -i 20190302094604 > - result: > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN -> NEED_KEYINFO_READ_PIN > > Then I followed https://access.redhat.com/solutions/3939431 > - no change > > Then I located pin in /etc/pki/pki-tomcat/password.conf and > /etc/httpd/conf/password.conf and tried to add these like this: > # getcert start-tracking -i 20190302094604 -P \ > # [long-number from internal=] > # ipa-getcert resubmit -i 20190302094604 > - result: key pair storage now have " ,pin set" > > # getcert start-tracking -i 20190302094604 -P \ > # [hexstring from internal:] > - result: key pair storage now have " ,pin set" >
Those are the wrong passwords. The Apache password file should be /var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA based on the output you provided. I'd suggest to stop tracking and start over using: # ipa-getcert stop-tracking -f /var/lib/ipa/certs/httpd.crt # ipa-getcert start-tracking -f /var/lib/ipa/certs/httpd.crt -k /var/lib/ipa/private/httpd.key -p /var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA -C /usr/libexec/ipa/certmonger/restart_httpd Then you'll need to go back in time to renew the certificate. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
