Hi,
you can enable debug logs for IPA with the following steps:
- create a file /etc/ipa/server.conf containing the following lines:
[global]
debug = True
- restart ipa services with "ipactl restart"
- try to use the command cert-show: kinit admin; ipa cert-show
198421384424903357883919048254057663382"
I'm expecting the command to fail but it will generate useful logs.
Check in /var/log/pki/pki-tomcat/localhost_access_log.$DATE if you see
lines similar to:
10.0.144.249 - ipara [23/Jan/2025:07:51:19 +0000] "GET
/ca/rest/account/login HTTP/1.1" 200 198
10.0.144.249 - ipara [23/Jan/2025:07:51:19 +0000] "GET
/ca/rest/authorities/32c7e520-9996-4b2b-8069-97de6842d79d/cert HTTP/1.1"
200 1158
10.0.144.249 - ipara [23/Jan/2025:07:51:19 +0000] "GET
/ca/rest/account/logout HTTP/1.1" 204 -
If you have a line with "login" at the time you did the ipa cert-show
command, it means that the command properly reached out to the tomcat
server.
No "login" line would point to a misconfiguration, probably in
/etc/pki/pki-tomcat/server.xml or /etc/httpd/conf.d/ipa-pki-proxy.conf. The
443 port is configured in /etc/httpd/conf.d/ssl.conf but most of the calls
directed to this port get proxied to an AJP connector handled by tomcat. If
the "login" line is not visible it means this redirection is broken.
Check the logs in /var/logs/httpd/error_log, after the line that contains
something similar to
[Thu Jan 23 07:51:19.038273 2025] [wsgi:error] [pid 550528:tid 550860]
[remote 10.0.144.249:41806] ipa: DEBUG: raw: cert_show('1', version='2.251')
They may contain a bit more information about this "Network Error".
You also mentioned
I am able to get a working TLS Handshake and a sensible reply with curl
on the same machine.
Which command did you run exactly?
Is the ipa-healthcheck error the only one?
flo
On Thu, Jan 23, 2025 at 12:01 AM Hannes Eberhardt via FreeIPA-users <
[email protected]> wrote:
> >
> > I would start by checking that your certificates are not expired.
> > What's the output of
> > # getcert list
> > executed on your server my-idm-server.idm.my.domain ? Check that all
> > the certificates have "expires: " dates in the future.
> >
> > flo
> Hi Flo,
>
> thank you for the hint. I just checked this, no certificate is expired.
> All of the certificates are expiring in 2026.
>
> Request ID '20240717114825':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/lib/ipa/ra-
> agent.key'
> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=[...]
> subject: CN=[...]
> issued: 2024-07-17 13:48:25 CEST
> expires: 2026-07-07 13:48:25 CEST
> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-clientAuth
> profile: caSubsystemCert
> pre-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> [...]
>
> Hannes
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
