Hi,
it seems the error happens when you run commands that require communication
between IPA framework and the Certificate Server (like ipa ca-show). The
workflow is the following:
1. the client (= the command "ipa ca-show") is a python process that
communicates with httpd on the secure port. It se
Finally had a chance to circle back and work on this further.
Based on my prior output of:
=
# ipa-cacert-manage list
*IPA.REDACTED.COM IPA CA**
**IPA.REDACTED.COM IPA CA*
DSTRootCAX3
letsencryptx3
isrgrootx1
lets-encrypt-r3-cross-signed
The ipa-cacert-manage command was successful
=
whic
That was kinda my belief thus far as well that the hosts were not
trusting themselves - not 100% sure how things got here though. I have
a hunch it might be related to the initial deployment and the prior
admin using an outdated method to install/manage/renew the LE-certificates.
=
# ipa-
Did you install the LE Root CA's first?
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem"
"lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
wget -O "/etc/ssl/$CERT" "https://letsencrypt.org/certs/$CERT";
ipa-cacert-manage install
The error suggests that your IPA server doesn't trust its own CA
certificate.
Does ipa-cacert-manage list include the IPA CA?
BTW the new certificate steps are unrelated. This affects all CA requests.
rob
Chris Moody via FreeIPA-users wrote:
> Just found some additional possible clues in the ap
Just found some additional possible clues in the apache error.log
=
[Tue Jun 15 17:11:34.636290 2021] [:warn] [pid 31831:tid
139703600768768] [client 2001:470:8af9:255::10:47920] failed to set
perms (3140) on file (/run/ipa/ccaches/ch...@ipa.node-nine.com)!,
referer: https://REDACTED-1.ipa
Apologies for the belated response - took me a bit to verify across all
clients.
When I installed the LE certs on each replica/server, I performed the
following:
=(the privkey & fullchain files provided by LE)=
ipa-server-certinstall -w -d privkey.pem fullchain.pem
&
/usr/sbin/ipa-cert
Hi,
when the let's encrypt certificates were installed, did you run
ipa-cacert-manage install on one of the nodes + ipa-certupdate on *all the
IPA machines*? It's important to run ipa-certupdate on all the
server/replicas/clients in order to install the CA everywhere.
flo
On Sat, Jun 12, 2021 at
