Hi ScottMany thanks for the information and apologies for the delay in responding.I folllowed
the information and it's all working now.RegardsPerOn 25 Dec 2021, at 17:06, "Dungan,
Scott A. via FreeIPA-users" <freeipa-users@lists.fedorahosted.org> wrote:Hi, Per. I
ran into the same problem and Alexander referred me to this link:
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg12583.htmlThe fix for us
was is pretty easy: Make a backup of /etc/pki/pki-tomcat/server.xmlOn lines 129 and 171 of
server.xml, you’ll see a value for “secret=” and “sharedSecret=.” Those values will be
different and that is the cause of the problem. Both values should match
what is found in the ProxyPassMatch statements located in the file
/etc/httpd/conf.d/ipa-pki-proxy.conf. In my case, the value for secret= was correct and I just had
to change the sharedSecert= to match.Restart services with ipactl restart -Scott From: Per
Qvindesland via FreeIPA-users <freeipa-users@lists.fedorahosted.org> Sent: Wednesday,
December 22, 2021 7:22 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc:
Per Qvindesland <p...@icloud.com> Subject: [Freeipa-users] SSL error after upgrade Hi All
After an update to 4.9.6-10, I am unable to view any of the certificates that the IPA server has
signed, I get error: An error has occurred (IPA Error 4301: CertificateOperationError) when I click
on Authnticaiton -> Certificates, if I
click on "Certificate Autorities" then I get popup message with the error "Failed to
authenticate to CA REST API" and "An error
has occurred (IPA Error 4016: RemoteRetrieveError)" is showing on the screen. ipactl status is showing everything as running:ipactl statusDirectory Service: RUNNINGkrb5kdc Service: RUNNINGkadmin Service: RUNNINGnamed Service: RUNNINGhttpd Service: RUNNINGipa-custodia Service: RUNNINGpki-tomcatd Service: RUNNINGsmb Service: RUNNINGwinbind Service: RUNNINGipa-otpd Service: RUNNINGipa-dnskeysyncd Service: RUNNINGipa: INFO: The ipactl command was successful Does anyone know what's causing this error? I ran ipa-healthcheck and pasted the output below, it reports that it's missing SRV records but the IPA server is the DNS server and it has the SRV records. RegardsPer ipa-healthcheckra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)[ { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "ac0200eb-3ec8-405f-ba5e-523cbb40ad6b", "when": "20211222151125Z", "duration": "0.016156", "kw": { "msg": "Request for certificate failed, Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "2f010c35-7d7d-431f-89b0-c342516cf296", "when": "20211222151130Z", "duration": "0.412221", "kw": { "key": "20211104170633", "serial": 7, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "10a946e2-e511-417a-b189-a66f1b555470", "when": "20211222151130Z", "duration": "0.519989", "kw": { "key": "20211104170628", "serial": 5, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "7c85e383-8508-4b8e-a10b-838b0b70eb73", "when": "20211222151130Z", "duration": "0.618106", "kw": { "key": "20211104170629", "serial": 2, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source":
"ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "1776678c-d997-435b-b809-52576128a2e9", "when": "20211222151130Z", "duration": "0.709013", "kw": { "key": "20211104170630", "serial": 4, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "f02ff5d9-13cf-4582-9bd3-7567b32c415d", "when": "20211222151130Z", "duration": "0.789825", "kw": { "key": "20211104170631", "serial": 1, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "d30b17b3-f45e-4317-bf8e-c1c13c3f77e3", "when": "20211222151131Z", "duration": "0.903311", "kw": { "key": "20211104170632", "serial": 3, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "32ff9bb7-69b8-4af3-8c20-9f2ab4394a73", "when": "20211222151131Z", "duration": "0.969296", "kw": { "key": "20211104170635", "serial": 34, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "18fb96f0-7a64-4c1c-b03b-bb21e3f90bf1", "when": "20211222151131Z", "duration": "1.065584", "kw": { "key": "20211104170634", "serial": 8, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "d82cdf6d-4d4b-44e4-9aa8-33211aa55c96", "when": "20211222151131Z", "duration": "1.116597", "kw": { "key": "20210811074531", "serial": 10, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid":
"cc0c7d5c-1132-4b18-ac8e-c7625d3963f0", "when": "20211222151131Z", "duration": "0.015692", "kw": { "msg": "Expected SRV record missing", "key": "_ldap._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "f0d6873f-b681-457d-8006-9e5bb051b9df", "when": "20211222151131Z", "duration": "0.017296", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "92a5517d-5f73-4f49-8874-bf6bbeb2ed9d", "when": "20211222151131Z", "duration": "0.018275", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "7f1994fb-e1dc-4d8c-93c5-5ba2e6652427", "when": "20211222151131Z", "duration": "0.019243", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos-master._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "e9bbd202-8f37-4a44-b9b0-377ae5a53d08", "when": "20211222151131Z", "duration": "0.020150", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos-master._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "2d4a438f-6271-470e-a6f5-68a30858d928", "when": "20211222151131Z", "duration": "0.021502", "kw": { "msg": "Expected SRV record missing", "key": "_kpasswd._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "828efbaf-2071-4693-94f4-0e4c2ec884c0", "when": "20211222151131Z", "duration": "0.022772", "kw": { "msg": "Expected SRV record missing", "key": "_kpasswd._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "b0a73e45-da65-43a6-a540-8e092e3e4d76", "when": "20211222151131Z", "duration": "0.023895", "kw": { "msg": "Expected SRV record missing", "key": "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "3329eea5-c794-4201-a973-82f22b58f151", "when": "20211222151131Z", "duration": "0.025341", "kw": {
"msg": "Expected SRV record missing", "key": "_ldap._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "dde9dd12-e044-4bde-a75f-2ea4d96910dc", "when": "20211222151131Z", "duration": "0.027364", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "9ebec84f-aa7d-4ba9-8c4e-ca8dd2aa98c8", "when": "20211222151131Z", "duration": "0.029421", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "cd921441-98bf-4fc1-a043-ed35a056e818", "when": "20211222151131Z", "duration": "0.030800", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "93f21c35-a10d-418b-a549-c0c70d6330cd", "when": "20211222151131Z", "duration": "0.031808", "kw": { "msg": "Expected SRV record missing", "key": "_kerberos._udp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "331ef74f-e5d6-47d8-a666-a352320772de", "when": "20211222151131Z", "duration": "0.034319", "kw": { "msg": "Got {count} ipa-ca A records, expected {expected}", "count": 0, "expected": 1 } }] _______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.orgDo not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure