Hi,
I think you're hitting this issue: https://pagure.io/freeipa/issue/7759
What is the full certificate chain of your new server cert? If the chain contains a root CA and one or multiple subCAs, each subCA also needs to be added using ipa-cacert-manage install. HTH, flo
On Wed, Oct 20, 2021 at 1:29 PM cicek adam via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Here is my ipactl status:
[root@xxx ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
I think I am doing something wrong. I've made a fresh installation, then added ca.crt by "ipa-cacert-manage -n globalsign -t C,, install /root/ca.crt"
After this I ran ipa-certupdate and it was successful, I had no errors. So I tought it to be safe to run ipa-server-certinstall and ran it. As a result I get login failure in the web ui again. When I check httpd error_log I see this:
[Wed Oct 20 14:02:17.214267 2021] [wsgi:error] [pid 20252:tid 140636607313664] [remote 10.212.238.92:52437] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='xxx', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
After I saw this, I tried ipa-certupdate again and it gave the "cannot connect to 'any of the configured servers’:" error again.
What am I doing wrong? I did ipactl restart after ipa-server-certinstall.
I think I am missing some basics :/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure