Hi, On Tue, Aug 12, 2025 at 5:05 PM Dimitri Rachline via FreeIPA-users < [email protected]> wrote:
> Hi there, > I have an issue with FreeIpa, few days ago, certs has been renewed and > since that moment we can no longer log through the web UI. every attempt > fails with the following error message : Login failed due to an unknown > reason > Which cert was renewed (the CA, one of the PKI certs, the HTTP or the LDAP one)? Was it an automated renewal done by certmonger or a manual one? Can you paste the output of "getcert list"? flo > > When I check the http logs, I found this error (hostname replaced by > my.freeipa.local): > [Tue Aug 12 15:40:04.562822 2025] [wsgi:error] [pid 1814808:tid 1815092] > [remote 10.63.1.2:61391] ipa: INFO: 401 Unauthorized: > HTTPSConnectionPool(host='my.freeipa.local', port=443): Max retries > exceeded with url: /ipa/session/cookie (Caused by > SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] > certificate verify failed: unable to get local issuer certificate > (_ssl.c:1129)'))) > > When I do a getcert list, all certs are valids and with the status > MONITORING > > When I take a look at the certificates set in /etc/httpd/conf.d/ssl.conf : > SSLCertificateFile /var/lib/ipa/certs/httpd.crt > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > both are valid but I noticed something : ca-bundle.crt lifespan starts > from 2021 to 2041 while in getcert list results, the cert with 20year > lifespan was from 2023 to 2043 > > > httpd.service has been restarted > > ipa config-show does not work : > ipa: ERROR: impossible de se connecter à « > https://my.freeipa.local/ipa/json » : [SSL: CERTIFICATE_VERIFY_FAILED] > certificate verify failed: unable to get local issuer certificate > (_ssl.c:1129) > > ipactl status shows that everything is running > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful > > Also, FreeIpa is beneath a reverse proxy. > IPA version is : 4.9.6 > OS : Fedora 34 > > What I understand of the issue : with the renewal, new certificates has > been issued but somehow the link with root CA has been broken > To be honest I tried so much things in the past few days that I can't > remeber everything and I start to feel stuck. > I would be grateful for a little help! :) > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
