Hi,
I'm having trouble after this morning update: I had a setup (based on
RHEL 9) with 3 IPA servers, with certificate generated by letsencrypt
(https://github.com/freeipa/freeipa-letsencrypt).
After updating I noticed the web UI was using self signed CA, so I run
setup-le.sh. The certificates were correctly regenerated, and the
browser was happy.
But when I try to login it fails, and in httpd error log I find:
[Thu Jul 25 18:20:53.773180 2024] [wsgi:error] [pid 15636:tid 15924]
[remote 10.10.10.10:38566] ipa: INFO: 401 Unauthorized:
HTTPSConnectionPool(host='dc1.example.com', port=443): Max retries
exceeded with url: /ipa/session/cookie (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1129)')))
Trying to rerun setup-le.sh now the "ipa-certupdate" part fails with
same error:
cannot connect to 'any of the configured servers':
https://dc1.example.com/ipa/json, https://dc3.example.com/ipa/json,
https://dc2.example.com/ipa/json
It seems some old certificate (ca or server) is still inside IPA.
Other services (NFS, ssh to ipa clients, ...) seems to work. I hope it's
not only the sss cache!
Any ideas?
TIA,
gc
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue