Thanks Alex, worked like charm
On Wed, Jun 12, 2024 at 1:15 PM Alexander Bokovoy <aboko...@redhat.com> wrote: > On Срд, 12 чэр 2024, Yavor Marinov wrote: > >Hey Alex, > > > >thanks for your reply, I've downloaded the new Letsencrypt certs, > installed > >them with ipa-cacert-manage install but can't update with ipa-certupdate > as > >it gives > > > >Connection to https://login.example.net/ipa/json failed with [SSL: > >CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local > >issuer certificate (_ssl.c:1129) > > > >Again any idea how to proceed further with this will be appreciated. > > Look at /etc/httpd/conf.d/ssl.conf, it should have line like > > SSLCACertificateFile /etc/ipa/ca.crt > > inside the default vhost. > > That is the file that will be eventually updated by the ipa-certupdate. > What you could do is to add your new Let's Encrypt chain to this file, > restart httpd, and try again. > > Please make sure to back the file first so that you can get back to it > if needed. > > > > >On Wed, Jun 12, 2024 at 12:07 PM Alexander Bokovoy <aboko...@redhat.com> > >wrote: > > > >> On Срд, 12 чэр 2024, Yavor Marinov via FreeIPA-users wrote: > >> >Hello all, > >> > > >> >I've tried to look over the list for the problem I have, but it seems I > >> >can't find anything related. We are using FreeIPA 4.11 on Alma9 with > >> >Letsencrypt certificates. Until now I didn't had issues renewing > >> >certificates (using https://github.com/freeipa/freeipa-letsencrypt for > >> >renewing certificates) but since last night's renewal I can't get in to > >> >login into webui and can't enroll any new resources. The error i got > from > >> >webui is standart Login failed due to an unknown reason and there > are no > >> >errors in pki-tomcat. In apache's error logs the following error is > >> >produced: > >> > > >> >[Wed Jun 12 13:58:11.298021 2024] [wsgi:error] [pid 211427:tid 211669] > >> >[remote 91.239.13.253:34362] ipa: INFO: 401 Unauthorized: > >> >HTTPSConnectionPool(host='login.example.net', port=443): Max retries > >> >exceeded with url: /ipa/session/cookie (Caused by > >> >SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] > >> >certificate verify failed: unable to get local issuer certificate > >> >(_ssl.c:1129)'))) > >> > > >> >Trying with curl to reach some of the certificates with > >> > > >> >curl https://login.example.net:443/ca/rest/certs/1 > >> > > >> >returns error "unable to get local issuer certificate". However, > reaching > >> >the IPA webui using Chrome doesn't return an error > "ERROR_UNKNOWN_ISSUER" > >> >but FireFox reports that the certificate is unknown. > >> > >> This is not about IPA CA, this is about IPA web server not knowning > >> about new Let's Encrypt's CA chain which changed recently. > >> > >> See https://github.com/freeipa/freeipa-letsencrypt/pull/49. > >> > >> > >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
