Hi,

I recently upgraded my FreeIPA host system from Fedorda 40 to 41. Since
the upgrade I am unable to access the details of the CA subsystem.

While I get a list/overview of all certificates that are available in
the directory, FreeIPA throws an error if I try to access a specific
certificate or CA.

The error is:

IPA Error 907: Network Error 
cannot connect to
'https://my-idm-server.idm.my.domain:443/ca/rest/certs/2164020197888160700271539004937198265'
: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure
(_ssl.c:2638)

I am also getting this error while running the ipa-healthcheck.

{
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConnectivityCheck",
    "result": "ERROR",
    "uuid": "84949312-c4a1-4924-95e5-338894d2ee27",
    "when": "20250122094218Z",
    "duration": "0.022545",
    "kw": {
      "key": "cert_show_ra",
      "error": "cannot connect to
'https://my-idm-server.idm.my.domain:443/ca/rest/certs/198421384424903357883919048254057663382'
: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure
(_ssl.c:2638)",
      "serial": "198421384424903357883919048254057663382",
      "msg": "Request for certificate failed: {error}"
    }
  }, 
[...]

I am able to get a working TLS Handshake and a sensible reply with curl
on the same machine.
At first I guessd it might be an incompatiblity with TLSv1.3, so I
tried to configure only TLSv1.2 in the httpd ssl.conf, but this did not
resolve the issue. I also tried to use the legacy system crypto-policy
instead of the default one. So I don't really think that this is a
cipher missmatch/compatiblity issue. Could this be a verification issue
on the certificate chain somewhere?

Does someone maybe have a hint where to start looking next and get this
fixed?

FreeIPA Version 4.12.2
OS: Fedora 41 Server, no upgrades pending, default repos.

Thank you for your help!

Cheers,

Hannes


-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to