I have a weird issue where I have my RHV (RedHat Virtualization) environment system that has an IPA-issued certificate in place. This has been working very well for some time.
In any case, I'm suddenly finding that browsers are telling me the certificate is invalid, yet when I check things (I issue certs with properly SANs just to clarify that point), everything seems to be ok and in place. I tried stop-tracking and reissuing a new cert thinking that something was wrong as I had recently removed/rebuilt my secondary IPA server due to what I believed were replication issues. This has looked very good since then (at least a month). When I try and go to the URL in Chrome, I'm getting: NET::ERR_CERT_REVOKED Safari (as a test) denies the cert as well. When I look at things on the system via ipa-getcert: ----- [root@orldc-prod-vengine ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20200211221958': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/ovirt-engine/keys/apache.key.nopass' certificate: type=FILE,location='/etc/pki/ovirt-engine/certs/apache.cer' CA: IPA issuer: CN=Certificate Authority,O=PASSUR.LOCAL subject: CN=orldc-prod-vengine.passur.local,O=PASSUR.LOCAL expires: 2024-02-11 22:20:00 UTC dns: orldc-prod-vengine.passur.local principal name: HTTP/orldc-prod-vengine.passur.local@PASSUR.LOCAL key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes ----- If I search for the cert via the IPA webUI, I see the certificate there and it shows as valid (with the correct Serial number). I've also at least verified that OCSP and CRL URLs at least function (I get a response and I download a CRL). I'm just not sure how to parse things and verify. I'm trying to get steps on how best to troubleshoot this as this is currently preventing me from managing my RHV environment (which is a serious problem). Please let me know if you have any guidance. I need some help! -- Chris _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org