Hi,
On Wed, Jan 22, 2025 at 10:56 AM Hannes Eberhardt via FreeIPA-users < [email protected]> wrote: > Hi, > > I recently upgraded my FreeIPA host system from Fedorda 40 to 41. Since > the upgrade I am unable to access the details of the CA subsystem. > > While I get a list/overview of all certificates that are available in > the directory, FreeIPA throws an error if I try to access a specific > certificate or CA. > > The error is: > > IPA Error 907: Network Error > cannot connect to > 'https:// > my-idm-server.idm.my.domain:443/ca/rest/certs/2164020197888160700271539004937198265 > ' > : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure > (_ssl.c:2638) > > I am also getting this error while running the ipa-healthcheck. > > { > "source": "ipahealthcheck.dogtag.ca", > "check": "DogtagCertsConnectivityCheck", > "result": "ERROR", > "uuid": "84949312-c4a1-4924-95e5-338894d2ee27", > "when": "20250122094218Z", > "duration": "0.022545", > "kw": { > "key": "cert_show_ra", > "error": "cannot connect to > ' > https://my-idm-server.idm.my.domain:443/ca/rest/certs/198421384424903357883919048254057663382 > ' > : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure > (_ssl.c:2638)", > "serial": "198421384424903357883919048254057663382", > "msg": "Request for certificate failed: {error}" > } > }, > [...] > > I am able to get a working TLS Handshake and a sensible reply with curl > on the same machine. > At first I guessd it might be an incompatiblity with TLSv1.3, so I > tried to configure only TLSv1.2 in the httpd ssl.conf, but this did not > resolve the issue. I also tried to use the legacy system crypto-policy > instead of the default one. So I don't really think that this is a > cipher missmatch/compatiblity issue. Could this be a verification issue > on the certificate chain somewhere? > > Does someone maybe have a hint where to start looking next and get this > fixed? > I would start by checking that your certificates are not expired. What's the output of # getcert list executed on your server my-idm-server.idm.my.domain ? Check that all the certificates have "expires: " dates in the future. flo > > FreeIPA Version 4.12.2 > OS: Fedora 41 Server, no upgrades pending, default repos. > > Thank you for your help! > > Cheers, > > Hannes > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
