I spun up a new server and did a fresh install of IPA. On that server if I run the command I get a better result
# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/ra-agent.pem /var/lib/ipa/ra-agent.pem: OK Chain: depth=0: O = AUTH.****.NET, CN = IPA RA (untrusted) depth=1: O = AUTH.****.NET, CN = Certificate Authority So I must be missing something with the RA cert. It's definitely in LDAP. I've read that it should also be present in /etc/httpd/alias/ NSS DB, but that directory is empty on the fresh install so I cannot confirm. The ASN.1 appears to be correct on the ra-agent.pem when I check $ openssl asn1parse -inform pem -in ra-agent.pem 37:d=5 hl=2 l= 3 prim: OBJECT :organizationName 42:d=5 hl=2 l= 14 prim: UTF8STRING :IPA.****.NET 58:d=3 hl=2 l= 30 cons: SET 60:d=4 hl=2 l= 28 cons: SEQUENCE 62:d=5 hl=2 l= 3 prim: OBJECT :commonName 67:d=5 hl=2 l= 21 prim: UTF8STRING :Certificate Authority 90:d=2 hl=2 l= 30 cons: SEQUENCE 92:d=3 hl=2 l= 13 prim: UTCTIME :240322132444Z 107:d=3 hl=2 l= 13 prim: UTCTIME :260312132444Z 122:d=2 hl=2 l= 42 cons: SEQUENCE 124:d=3 hl=2 l= 23 cons: SET 126:d=4 hl=2 l= 21 cons: SEQUENCE 128:d=5 hl=2 l= 3 prim: OBJECT :organizationName 133:d=5 hl=2 l= 14 prim: UTF8STRING :IPA.****.NET 149:d=3 hl=2 l= 15 cons: SET 151:d=4 hl=2 l= 13 cons: SEQUENCE 153:d=5 hl=2 l= 3 prim: OBJECT :commonName 158:d=5 hl=2 l= 6 prim: PRINTABLESTRING :IPA RA This was another cert that had an incorrect Principle attached and was regenerated. I may have messed up something there, but I'm not sure what. I do have a copy of the ra-agent.pem (and matching key) with the correct Principle from 2019. I can put this in place on the broken server, but even with rolling the time back I'm not sure it will get renewed. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue