On Tue, Feb 11, 2020 at 05:40:14PM -0500, Christopher Young via FreeIPA-users wrote: > I have a weird issue where I have my RHV (RedHat Virtualization) > environment system that has an IPA-issued certificate in place. This > has been working very well for some time. > > In any case, I'm suddenly finding that browsers are telling me the > certificate is invalid, yet when I check things (I issue certs with > properly SANs just to clarify that point), everything seems to be ok > and in place. > > I tried stop-tracking and reissuing a new cert thinking that something > was wrong as I had recently removed/rebuilt my secondary IPA server > due to what I believed were replication issues. This has looked very > good since then (at least a month). > > When I try and go to the URL in Chrome, I'm getting: > NET::ERR_CERT_REVOKED > > Safari (as a test) denies the cert as well. > > When I look at things on the system via ipa-getcert: > ----- > [root@orldc-prod-vengine ~]# ipa-getcert list > Number of certificates and requests being tracked: 1. > Request ID '20200211221958': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/etc/pki/ovirt-engine/keys/apache.key.nopass' > certificate: > type=FILE,location='/etc/pki/ovirt-engine/certs/apache.cer' > CA: IPA > issuer: CN=Certificate Authority,O=PASSUR.LOCAL > subject: CN=orldc-prod-vengine.passur.local,O=PASSUR.LOCAL > expires: 2024-02-11 22:20:00 UTC > dns: orldc-prod-vengine.passur.local > principal name: HTTP/orldc-prod-vengine.passur.local@PASSUR.LOCAL > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > ----- > > If I search for the cert via the IPA webUI, I see the certificate > there and it shows as valid (with the correct Serial number). > > I've also at least verified that OCSP and CRL URLs at least function > (I get a response and I download a CRL). I'm just not sure how to > parse things and verify. > Use `openssl crl -text < FILE` to pretty-print a CRL.
Use `openssl ocsp` to perform an OCSP request: openssl ocsp -resp_text \ -CAfile /etc/ipa/ca.crt \ -url http://$HOST:8080/ca/ocsp \ -issuer /etc/ipa/ca.crt -serial $SERIAL_IN_DECIMAL > I'm trying to get steps on how best to troubleshoot this as this is > currently preventing me from managing my RHV environment (which is a > serious problem). Please let me know if you have any guidance. I > need some help! > To be sure, also check that the issuer certificate and any other certificates in the chain have not been revoked. Let us know how you go. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
