[Freeipa-users] Re: How To Renew Expired Certificates & pki-tomcatd not starting

Tue, 09 Feb 2021 19:10:21 -0800 

Thanks for your reply. Here is the output of "kinit admin; ipa cert-show 1":
        ipa: DEBUG: failed to find session_cookie in persistent storage for 
principal '[email protected]'
        ipa: INFO: trying https://login1.ourorg.com/ipa/json
        ipa: DEBUG: Created connection context.rpcclient_140248688553680
        ipa: INFO: [try 1]: Forwarding 'schema' to json server 
'https://login1.ourorg.com/ipa/json'
        ipa: DEBUG: HTTP connection destroyed (login1.ourorg.com)
        Traceback (most recent call last):
        File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 694, in 
single_request
            h = self.make_connection(host)
        File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 573, in 
make_connection
            conn.connect()
        File "/usr/lib64/python2.7/httplib.py", line 1275, in connect
            server_hostname=sni_hostname)
        File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket
            _context=self)
        File "/usr/lib64/python2.7/ssl.py", line 609, in __init__
            self.do_handshake()
        File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake
            self._sslobj.do_handshake()
        SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:618)
        ipa: DEBUG: Destroyed connection context.rpcclient_140248688553680
        ipa: ERROR: cannot connect to 'https://login1.ourorg.com/ipa/json': 
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

And output of "ipactl status", note as I mentioned in the first post 
pki-tomcatd service was failing even before certificates got expired.

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to