Interesting enough, I don't get this problem on my Fedora workstation
or a co-worker on a Windows-based system, so I'm currently
troubleshooting it as an issue on the Mac (which has Symantec Endpoint
Protection on it that I _wonder_ might be doing something here) until
I prove otherwise. I would like to be able to validate everything as
much as possible to eliminate the FreeIPA environment.
I did use the command just to check and got good responses (Once I got
the URLs correct):
-----
Response verify OK
805240912: good
This Update: Feb 12 22:52:44 2020 GMT
-----
On Tue, Feb 11, 2020 at 11:02 PM Fraser Tweedale <ftwee...@redhat.com> wrote:
>
> On Tue, Feb 11, 2020 at 05:40:14PM -0500, Christopher Young via FreeIPA-users
> wrote:
> > I have a weird issue where I have my RHV (RedHat Virtualization)
> > environment system that has an IPA-issued certificate in place. This
> > has been working very well for some time.
> >
> > In any case, I'm suddenly finding that browsers are telling me the
> > certificate is invalid, yet when I check things (I issue certs with
> > properly SANs just to clarify that point), everything seems to be ok
> > and in place.
> >
> > I tried stop-tracking and reissuing a new cert thinking that something
> > was wrong as I had recently removed/rebuilt my secondary IPA server
> > due to what I believed were replication issues. This has looked very
> > good since then (at least a month).
> >
> > When I try and go to the URL in Chrome, I'm getting:
> > NET::ERR_CERT_REVOKED
> >
> > Safari (as a test) denies the cert as well.
> >
> > When I look at things on the system via ipa-getcert:
> > -----
> > [root@orldc-prod-vengine ~]# ipa-getcert list
> > Number of certificates and requests being tracked: 1.
> > Request ID '20200211221958':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=FILE,location='/etc/pki/ovirt-engine/keys/apache.key.nopass'
> > certificate:
> > type=FILE,location='/etc/pki/ovirt-engine/certs/apache.cer'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=PASSUR.LOCAL
> > subject: CN=orldc-prod-vengine.passur.local,O=PASSUR.LOCAL
> > expires: 2024-02-11 22:20:00 UTC
> > dns: orldc-prod-vengine.passur.local
> > principal name: HTTP/orldc-prod-vengine.passur.local@PASSUR.LOCAL
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > -----
> >
> > If I search for the cert via the IPA webUI, I see the certificate
> > there and it shows as valid (with the correct Serial number).
> >
> > I've also at least verified that OCSP and CRL URLs at least function
> > (I get a response and I download a CRL). I'm just not sure how to
> > parse things and verify.
> >
> Use `openssl crl -text < FILE` to pretty-print a CRL.
>
> Use `openssl ocsp` to perform an OCSP request:
>
>
> openssl ocsp -resp_text \
> -CAfile /etc/ipa/ca.crt \
> -url http://$HOST:8080/ca/ocsp \
> -issuer /etc/ipa/ca.crt -serial $SERIAL_IN_DECIMAL
>
> > I'm trying to get steps on how best to troubleshoot this as this is
> > currently preventing me from managing my RHV environment (which is a
> > serious problem). Please let me know if you have any guidance. I
> > need some help!
> >
> To be sure, also check that the issuer certificate and any other
> certificates in the chain have not been revoked.
>
> Let us know how you go.
>
> Cheers,
> Fraser
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
