Hi there, I have an issue with FreeIpa, few days ago, certs has been renewed and since that moment we can no longer log through the web UI. every attempt fails with the following error message : Login failed due to an unknown reason
When I check the http logs, I found this error (hostname replaced by my.freeipa.local): [Tue Aug 12 15:40:04.562822 2025] [wsgi:error] [pid 1814808:tid 1815092] [remote 10.63.1.2:61391] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='my.freeipa.local', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))) When I do a getcert list, all certs are valids and with the status MONITORING When I take a look at the certificates set in /etc/httpd/conf.d/ssl.conf : SSLCertificateFile /var/lib/ipa/certs/httpd.crt SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt both are valid but I noticed something : ca-bundle.crt lifespan starts from 2021 to 2041 while in getcert list results, the cert with 20year lifespan was from 2023 to 2043 httpd.service has been restarted ipa config-show does not work : ipa: ERROR: impossible de se connecter à « https://my.freeipa.local/ipa/json » : [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129) ipactl status shows that everything is running Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful Also, FreeIpa is beneath a reverse proxy. IPA version is : 4.9.6 OS : Fedora 34 What I understand of the issue : with the renewal, new certificates has been issued but somehow the link with root CA has been broken To be honest I tried so much things in the past few days that I can't remeber everything and I start to feel stuck. I would be grateful for a little help! :) -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
