I have a weird issue where I have my RHV (RedHat Virtualization)
environment system that has an IPA-issued certificate in place. This
has been working very well for some time.
In any case, I'm suddenly finding that browsers are telling me the
certificate is invalid, yet when I check things (I issue certs with
properly SANs just to clarify that point), everything seems to be ok
and in place.
I tried stop-tracking and reissuing a new cert thinking that something
was wrong as I had recently removed/rebuilt my secondary IPA server
due to what I believed were replication issues. This has looked very
good since then (at least a month).
When I try and go to the URL in Chrome, I'm getting:
NET::ERR_CERT_REVOKED
Safari (as a test) denies the cert as well.
When I look at things on the system via ipa-getcert:
-----
[root@orldc-prod-vengine ~]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20200211221958':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/ovirt-engine/keys/apache.key.nopass'
certificate: type=FILE,location='/etc/pki/ovirt-engine/certs/apache.cer'
CA: IPA
issuer: CN=Certificate Authority,O=PASSUR.LOCAL
subject: CN=orldc-prod-vengine.passur.local,O=PASSUR.LOCAL
expires: 2024-02-11 22:20:00 UTC
dns: orldc-prod-vengine.passur.local
principal name: HTTP/orldc-prod-vengine.passur.local@PASSUR.LOCAL
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
-----
If I search for the cert via the IPA webUI, I see the certificate
there and it shows as valid (with the correct Serial number).
I've also at least verified that OCSP and CRL URLs at least function
(I get a response and I download a CRL). I'm just not sure how to
parse things and verify.
I'm trying to get steps on how best to troubleshoot this as this is
currently preventing me from managing my RHV environment (which is a
serious problem). Please let me know if you have any guidance. I
need some help!
-- Chris
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
