On 2016-04-29 16:08, Petr Vobornik wrote: > On 04/29/2016 02:53 PM, Bret Wortman wrote: >> Despite "ipactl status" indicating that all processes were running after >> step 1, step 2 produces "Unable to establish SSL connection." >> >> Full terminal session is at http://pastebin.com/ZuNBHPy0 > > Hm, it doesn't help me much. > > Does it contact the correct machine? I.e., is IP address OK? > > What is the result of: > > netstat -ln | grep 443 > netstat -ln | grep 8009 > > Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf > > Try to run curl, maybe it will be more verbose, but probably not: > > # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus > > Christian(CCd), do you have any ideas?
Is Apache HTTPD running and listening on 443/TCP? $ ss -tpln | grep 443 Did you install mod_ssl by any chance? FreeIPA uses mod_nss. mod_ssl can disrupt TLS services. The openssl client tool shows more debug information than curl: openssl s_client -connect zsipa.private.net:443 -CAfile /etc/ipa/ca.crt -verify 10 Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project