[Freeipa-users] Re: SSL errors ... again

Mon, 08 May 2023 17:29:04 -0700 


I tried the "ipa cert-show 1" from the CLI and got the same error:

https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' : 
SSL_HANDSHAKE_FAILURE


I do have a corresponding entry in the access_log for apache

"POST /ca/agent/ca/displayBySerial HTTP/1.1" 403 229
The apache error_log just re-iterates the same error as before which is the same time the access_log is updated: 

Bad Remote Server Certificate -8181

SSL Library Error: -8181 Certificate has expired


Still looking....




On 5/7/2023 10:08 AM, Rob Crittenden wrote:

Justin Sanderson via FreeIPA-users wrote:

Ok. So once again my IPA server is having cert issues. Everything seems
to be working except when I am in the web interface and goto
"Authentication" --> "Certificates" --> Click any of the certs in the list.


---- I get this error from the browser.------

IPA ERROR 907: NetworkError

cannot connect to
https://[myservernamehere.fqdn]:443/ca/agent/ca/displayBySerial' :
SSL_HANDSHAKE_FAILURE


# getcert list |grep expires  --> everything checks out ok. no expiry on
any of the certs


--- checked all the certs on there "Not Before" and "Not After" dates
for the following NSS db's

certutil -L -d /etc/pki/pki-tomcat/alias

certutil -L -d /etc/httpd/alias



  ---- In /var/log/httpd/error_log, I do see some errors: ----

Bad Remote Server Certificate -8181

SSL Library Error: -8181 Certificate has expired


I know it's an expired cert obviously from httpd errorlog but where is
the darn thing. I thought i checked all the places and looked ok but I'm
definitely missing something....


could use some advice.

I'd simplify by trying on the command line: ipa cert-show 1

This will exercise the basic connectivity and will be less noisy than
using the UI. I'd run the same command on all servers you have in case
only one is affected.

As for the TLS error in the httpd.log its hard to say without broader
context. Is there an access log entry at the same time which may correlate?

rob


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to