Hi, I recently upgraded my FreeIPA host system from Fedorda 40 to 41. Since the upgrade I am unable to access the details of the CA subsystem.
While I get a list/overview of all certificates that are available in the directory, FreeIPA throws an error if I try to access a specific certificate or CA. The error is: IPA Error 907: Network Error cannot connect to 'https://my-idm-server.idm.my.domain:443/ca/rest/certs/2164020197888160700271539004937198265' : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure (_ssl.c:2638) I am also getting this error while running the ipa-healthcheck. { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "84949312-c4a1-4924-95e5-338894d2ee27", "when": "20250122094218Z", "duration": "0.022545", "kw": { "key": "cert_show_ra", "error": "cannot connect to 'https://my-idm-server.idm.my.domain:443/ca/rest/certs/198421384424903357883919048254057663382' : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure (_ssl.c:2638)", "serial": "198421384424903357883919048254057663382", "msg": "Request for certificate failed: {error}" } }, [...] I am able to get a working TLS Handshake and a sensible reply with curl on the same machine. At first I guessd it might be an incompatiblity with TLSv1.3, so I tried to configure only TLSv1.2 in the httpd ssl.conf, but this did not resolve the issue. I also tried to use the legacy system crypto-policy instead of the default one. So I don't really think that this is a cipher missmatch/compatiblity issue. Could this be a verification issue on the certificate chain somewhere? Does someone maybe have a hint where to start looking next and get this fixed? FreeIPA Version 4.12.2 OS: Fedora 41 Server, no upgrades pending, default repos. Thank you for your help! Cheers, Hannes -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue