[Freeipa-users] Re: Certificate problem

Wed, 12 Jun 2024 02:08:10 -0700 

On Срд, 12 чэр 2024, Yavor Marinov via FreeIPA-users wrote:

Hello all,

I've tried to look over the list for the problem I have, but it seems I
can't find anything related. We are using FreeIPA 4.11 on Alma9 with
Letsencrypt certificates. Until now I didn't had issues renewing
certificates (using https://github.com/freeipa/freeipa-letsencrypt for
renewing certificates) but since last night's renewal I can't get in to
login into webui and can't enroll any new resources. The error i got from
webui is standart Login failed due to an unknown reason   and there are no
errors in pki-tomcat. In apache's error logs the following error is
produced:

[Wed Jun 12 13:58:11.298021 2024] [wsgi:error] [pid 211427:tid 211669]
[remote 91.239.13.253:34362] ipa: INFO: 401 Unauthorized:
HTTPSConnectionPool(host='login.example.net', port=443): Max retries
exceeded with url: /ipa/session/cookie (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1129)')))

Trying with curl to reach some of the certificates with

curl https://login.example.net:443/ca/rest/certs/1

returns error "unable to get local issuer certificate". However, reaching
the IPA webui using Chrome doesn't return an error "ERROR_UNKNOWN_ISSUER"
but FireFox reports that the certificate is unknown.


This is not about IPA CA, this is about IPA web server not knowning
about new Let's Encrypt's CA chain which changed recently.

See https://github.com/freeipa/freeipa-letsencrypt/pull/49.




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to