Hey Alex, thanks for your reply, I've downloaded the new Letsencrypt certs, installed them with ipa-cacert-manage install but can't update with ipa-certupdate as it gives
Connection to https://login.example.net/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129) Again any idea how to proceed further with this will be appreciated. On Wed, Jun 12, 2024 at 12:07 PM Alexander Bokovoy <aboko...@redhat.com> wrote: > On Срд, 12 чэр 2024, Yavor Marinov via FreeIPA-users wrote: > >Hello all, > > > >I've tried to look over the list for the problem I have, but it seems I > >can't find anything related. We are using FreeIPA 4.11 on Alma9 with > >Letsencrypt certificates. Until now I didn't had issues renewing > >certificates (using https://github.com/freeipa/freeipa-letsencrypt for > >renewing certificates) but since last night's renewal I can't get in to > >login into webui and can't enroll any new resources. The error i got from > >webui is standart Login failed due to an unknown reason and there are no > >errors in pki-tomcat. In apache's error logs the following error is > >produced: > > > >[Wed Jun 12 13:58:11.298021 2024] [wsgi:error] [pid 211427:tid 211669] > >[remote 91.239.13.253:34362] ipa: INFO: 401 Unauthorized: > >HTTPSConnectionPool(host='login.example.net', port=443): Max retries > >exceeded with url: /ipa/session/cookie (Caused by > >SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] > >certificate verify failed: unable to get local issuer certificate > >(_ssl.c:1129)'))) > > > >Trying with curl to reach some of the certificates with > > > >curl https://login.example.net:443/ca/rest/certs/1 > > > >returns error "unable to get local issuer certificate". However, reaching > >the IPA webui using Chrome doesn't return an error "ERROR_UNKNOWN_ISSUER" > >but FireFox reports that the certificate is unknown. > > This is not about IPA CA, this is about IPA web server not knowning > about new Let's Encrypt's CA chain which changed recently. > > See https://github.com/freeipa/freeipa-letsencrypt/pull/49. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
