Hannes Eberhardt via FreeIPA-users wrote:
> I just check the logs you mentioned.
>
>>
>> Check in /var/log/pki/pki-tomcat/localhost_access_log.$DATE
> This is the access log after kinit and ipa-cert show:
>
> 10.1.0.4 - - [23/Jan/2025:21:43:48 +0100] "GET /ca/admin/ca/getStatus
> HTTP/1.1" 200 122
> 10.1.0.4 - - [23/Jan/2025:21:43:48 +0100] "GET /ca/admin/ca/getStatus
> HTTP/1.1" 200 122
> 10.1.0.4 - - [23/Jan/2025:21:43:48 +0100] "POST /ca/admin/ca/getStatus
> HTTP/1.1" 200 122
> 0:0:0:0:0:0:0:1 - - [23/Jan/2025:21:43:48 +0100] "-" 400 -
> 127.0.0.1 - - [23/Jan/2025:21:43:48 +0100] "-" 400 -
> 10.1.0.4 - - [23/Jan/2025:21:44:21 +0100] "GET
> /ca/rest/certs/198421384424903357883919048254057663382 HTTP/1.1" 200
> 12632
>
> No /login line here.
>>
>> Check the logs in /var/logs/httpd/error_log
>>
> There seems to be a verification error on the certificate.
>
> [Thu Jan 23 21:44:21.532600 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ipa: DEBUG: request GET
> https://[...]:443/ca/rest/certs/198421384424903357883919048254057663382
> [Thu Jan 23 21:44:21.532617 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ipa: DEBUG: request body ''
> [Thu Jan 23 21:44:21.537014 2025] [ssl:error] [pid 10413:tid 10547]
> [client 10.1.0.4:54670] AH02039: Certificate Verification: Error (50):
> application verification failure
> [Thu Jan 23 21:44:21.546571 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ipa: DEBUG: httplib request failed:
> [Thu Jan 23 21:44:21.546589 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] Traceback (most recent call last):
> [Thu Jan 23 21:44:21.546592 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipapython/dogtag.py", line 272, in _httplib_request
> [Thu Jan 23 21:44:21.546595 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] res = conn.getresponse()
> [Thu Jan 23 21:44:21.546598 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/http/client.py",
> line 1428, in getresponse
> [Thu Jan 23 21:44:21.546601 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] response.begin()
> [Thu Jan 23 21:44:21.546603 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~^^
> [Thu Jan 23 21:44:21.546606 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/http/client.py",
> line 331, in begin
> [Thu Jan 23 21:44:21.546609 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] version, status, reason =
> self._read_status()
> [Thu Jan 23 21:44:21.546611 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> ~~~~~~~~~~~~~~~~~^^
> [Thu Jan 23 21:44:21.546614 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/http/client.py",
> line 292, in _read_status
> [Thu Jan 23 21:44:21.546616 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] line = str(self.fp.readline(_MAXLINE + 1),
> "iso-8859-1")
> [Thu Jan 23 21:44:21.546619 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.546622 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/socket.py", line
> 719, in readinto
> [Thu Jan 23 21:44:21.546624 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self._sock.recv_into(b)
> [Thu Jan 23 21:44:21.546627 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~~~~~~~^^^
> [Thu Jan 23 21:44:21.546629 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/ssl.py", line
> 1304, in recv_into
> [Thu Jan 23 21:44:21.546632 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self.read(nbytes, buffer)
> [Thu Jan 23 21:44:21.546638 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.546640 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/ssl.py", line
> 1138, in read
> [Thu Jan 23 21:44:21.546643 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self._sslobj.read(len, buffer)
> [Thu Jan 23 21:44:21.546646 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.546648 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ssl.SSLError: [SSL:
> SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure
> (_ssl.c:2638)
> [Thu Jan 23 21:44:21.564194 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ipa: DEBUG: WSGI wsgi_execute PublicError:
> Traceback (most recent call last):
> [Thu Jan 23 21:44:21.564218 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipapython/dogtag.py", line 272, in _httplib_request
> [Thu Jan 23 21:44:21.564222 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] res = conn.getresponse()
> [Thu Jan 23 21:44:21.564225 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/http/client.py",
> line 1428, in getresponse
> [Thu Jan 23 21:44:21.564228 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] response.begin()
> [Thu Jan 23 21:44:21.564230 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~^^
> [Thu Jan 23 21:44:21.564233 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/http/client.py",
> line 331, in begin
> [Thu Jan 23 21:44:21.564236 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] version, status, reason =
> self._read_status()
> [Thu Jan 23 21:44:21.564238 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> ~~~~~~~~~~~~~~~~~^^
> [Thu Jan 23 21:44:21.564241 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/http/client.py",
> line 292, in _read_status
> [Thu Jan 23 21:44:21.564244 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] line = str(self.fp.readline(_MAXLINE + 1),
> "iso-8859-1")
> [Thu Jan 23 21:44:21.564246 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564249 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/socket.py", line
> 719, in readinto
> [Thu Jan 23 21:44:21.564252 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self._sock.recv_into(b)
> [Thu Jan 23 21:44:21.564254 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~~~~~~~^^^
> [Thu Jan 23 21:44:21.564257 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/ssl.py", line
> 1304, in recv_into
> [Thu Jan 23 21:44:21.564260 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self.read(nbytes, buffer)
> [Thu Jan 23 21:44:21.564262 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564265 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib64/python3.13/ssl.py", line
> 1138, in read
> [Thu Jan 23 21:44:21.564267 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self._sslobj.read(len, buffer)
> [Thu Jan 23 21:44:21.564270 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564272 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ssl.SSLError: [SSL:
> SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure
> (_ssl.c:2638)
> [Thu Jan 23 21:44:21.564275 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> [Thu Jan 23 21:44:21.564278 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] During handling of the above exception, another
> exception occurred:
> [Thu Jan 23 21:44:21.564284 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> [Thu Jan 23 21:44:21.564286 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] Traceback (most recent call last):
> [Thu Jan 23 21:44:21.564289 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipaserver/rpcserver.py", line 417, in wsgi_execute
> [Thu Jan 23 21:44:21.564292 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] result = command(*args, **options)
> [Thu Jan 23 21:44:21.564294 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipalib/frontend.py", line 477, in __call__
> [Thu Jan 23 21:44:21.564297 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self.__do_call(*args, **options)
> [Thu Jan 23 21:44:21.564300 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564302 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipalib/frontend.py", line 544, in __do_call
> [Thu Jan 23 21:44:21.564305 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ret = self.run(*args, **options)
> [Thu Jan 23 21:44:21.564308 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipalib/frontend.py", line 885, in run
> [Thu Jan 23 21:44:21.564310 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return self.execute(*args, **options)
> [Thu Jan 23 21:44:21.564313 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564315 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipaserver/plugins/cert.py", line 1379, in execute
> [Thu Jan 23 21:44:21.564318 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] result =
> self.Backend.ra.get_certificate(serial_number)
> [Thu Jan 23 21:44:21.564321 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipaserver/plugins/dogtag.py", line 906, in get_certificate
> [Thu Jan 23 21:44:21.564324 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] _http_status, _http_headers, http_body =
> self._ssldo(
> [Thu Jan 23 21:44:21.564326 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> ~~~~~~~~~~~^
> [Thu Jan 23 21:44:21.564329 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] 'GET', path, use_session=False,
> [Thu Jan 23 21:44:21.564331 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564334 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ...<2 lines>...
> [Thu Jan 23 21:44:21.564337 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] },
> [Thu Jan 23 21:44:21.564339 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ^^
> [Thu Jan 23 21:44:21.564342 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] )
> [Thu Jan 23 21:44:21.564344 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ^
> [Thu Jan 23 21:44:21.564347 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipaserver/plugins/dogtag.py", line 660, in _ssldo
> [Thu Jan 23 21:44:21.564350 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] status, resp_headers, resp_body =
> dogtag.https_request(
> [Thu Jan 23 21:44:21.564352 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> ~~~~~~~~~~~~~~~~~~~~^
> [Thu Jan 23 21:44:21.564355 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] self.ca_host, self.override_port or
> self.env.ca_agent_port,
> [Thu Jan 23 21:44:21.564366 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564370 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ...<4 lines>...
> [Thu Jan 23 21:44:21.564372 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] method=method, headers=headers,
> body=body
> [Thu Jan 23 21:44:21.564375 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666]
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> [Thu Jan 23 21:44:21.564377 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] )
> [Thu Jan 23 21:44:21.564380 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ^
> [Thu Jan 23 21:44:21.564382 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipapython/dogtag.py", line 216, in https_request
> [Thu Jan 23 21:44:21.564385 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] return _httplib_request(
> [Thu Jan 23 21:44:21.564388 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] 'https', host, port, url,
> connection_factory, body,
> [Thu Jan 23 21:44:21.564390 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] method=method, headers=headers)
> [Thu Jan 23 21:44:21.564393 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] File "/usr/lib/python3.13/site-
> packages/ipapython/dogtag.py", line 280, in _httplib_request
> [Thu Jan 23 21:44:21.564396 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] raise NetworkError(uri=uri, error=str(e))
> [Thu Jan 23 21:44:21.564398 2025] [wsgi:error] [pid 10410:tid 10685]
> [remote 10.1.0.4:54666] ipalib.errors.NetworkError: cannot connect to
> 'https://[...]:443/ca/rest/certs/198421384424903357883919048254057663382'
> : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure
> (_ssl.c:2638)
>
>> You also mentioned
>> I am able to get a working TLS Handshake and a sensible reply with
>> curl
>> on the same machine.
>> Which command did you run exactly?
> # curl -v
> https://[...]:443/ca/rest/certs/198421384424903357883919048254057663382
> * Host [...]:443 was resolved.
> * IPv6: [...]
> * IPv4: [...]
> * Trying [...]:443...
> * Connected to [...] ([...]) port 443
> * ALPN: curl offers h2,http/1.1
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> * CApath: none
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> * TLSv1.3 (IN), TLS handshake, Certificate (11):
> * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> * TLSv1.3 (IN), TLS handshake, Finished (20):
> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.3 (OUT), TLS handshake, Finished (20):
> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 /
> RSASSA-PSS
> * ALPN: server accepted http/1.1
> * Server certificate:
> * subject: [...]
> * start date: Jul 17 11:48:54 2024 GMT
> * expire date: Jul 18 11:48:54 2026 GMT
> * subjectAltName: host "[...]" matched cert's "[...]"
> * issuer: CN=onether.net IDM Intermediate CA
> * SSL certificate verify ok.
> * Certificate level 0: Public key type RSA (2048/112 Bits/secBits),
> signed using sha256WithRSAEncryption
> * Certificate level 1: Public key type RSA (3072/128 Bits/secBits),
> signed using sha256WithRSAEncryption
> * using HTTP/1.x
>> GET /ca/rest/certs/198421384424903357883919048254057663382 HTTP/1.1
>> Host: [...]
>> User-Agent: curl/8.9.1
>> Accept: */*
>>
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> * Request completely sent off
> * TLSv1.3 (IN), TLS handshake, Request CERT (13):
> * TLSv1.3 (OUT), TLS handshake, Certificate (11):
> * TLSv1.3 (OUT), TLS handshake, Finished (20):
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
> < HTTP/1.1 200 200
> < Date: Thu, 23 Jan 2025 20:58:05 GMT
> < Server: Apache/2.4.62 (Fedora Linux) OpenSSL/3.2.2 mod_wsgi/5.0.2
> Python/3.13 mod_auth_gssapi/1.6.5
> < Content-Type: application/json
> < Vary: Accept-Encoding
> < Transfer-Encoding: chunked
> <
> {"id":"0x9546918eec13583066bc7c638498cb96","IssuerDN":"CN=[...]
Have you recently replaced the CA chain and/or the IPA server cert(s)?
Apache and/or DS?
>>
>> Is the ipa-healthcheck error the only one?
> I have got nine of the ssl/tls alert handshake failures and this one
> additionally:
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPADogtagCertsMatchCheck",
> "result": "CRITICAL",
> "uuid": "67657ec3-d8ae-40b1-9e4c-4b7ded3e203b",
> "when": "20250123210034Z",
> "duration": "0.204734",
> "kw": {
> "exception": "no matching entry found",
> "traceback": "Traceback (most recent call last):\n File
> \"/usr/lib/python3.13/site-packages/ipahealthcheck/core/core.py\", line
> 56, in run_plugin\n for result in plugin.check():\n
> ~~~~~~~~~~~~^^\n File \"/usr/lib/python3.13/site-
> packages/ipahealthcheck/core/plugin.py\", line 18, in wrapper\n for
> result in f(*args, **kwds):\n ~^^^^^^^^^^^^^^^\n File
> \"/usr/lib/python3.13/site-packages/ipahealthcheck/ipa/certs.py\", line
> 950, in check\n ipaca_certs_ok = yield from
> match_ldap_nss_certs_by_subject(\n
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...<3 lines>...\n
> )\n ^\n File \"/usr/lib/python3.13/site-
> packages/ipahealthcheck/ipa/certs.py\", line 877, in
> match_ldap_nss_certs_by_subject\n entries = ldap.get_entries(\n
> dn,\n filter=f'subjectname={subject}'\n )\n File
> \"/usr/lib/python3.13/site-packages/ipapython/ipaldap.py\", line 1473,
> in get_entries\n entries, truncated = self.find_entries(\n
> ~~~~~~~~~~~~~~~~~^\n base_dn=base_dn, scope=scope,
> filter=filter, attrs_list=attrs_list,\n
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n
> get_effective_rights=get_effective_rights,\n
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n **kwargs)\n
> ^^^^^^^^^\n File \"/usr/lib/python3.13/site-
> packages/ipapython/ipaldap.py\", line 1617, in find_entries\n raise
> errors.EmptyResult(reason='no matching entry
> found')\nipalib.errors.EmptyResult: no matching entry found\n"
> }
> }
This means that one of the CA subsystem certificates was not found by
the CA which is unexpected, hence the backtrace. You can try running
healthcheck again and then watching the DS access log to find the query
that returned nothing (err=32). That will tell you which subject it
couldn't find.
I can't explain why a certificate would go missing. Did you have any
recent db corruption? Did anyone attempt to "clean up" some records?
> Then there are some deprecation warnings like:
> Properties that return a naïve datetime object have been deprecated.
> Please switch to not_valid_after_utc
Those deprecation warnings are partially fixed and will land in Fedora
next week or so.
rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
