Interesting. I ran sudo pki securitydomain-show on machine B and got the following error: ERROR: UNKNOWN_ISSUER encountered on 'CN=sg-it-prod-dc-b-euw2az2.internal.example.com,O=INTERNAL.EXAMPLE.COM' results in a denied SSL server cert! SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE IOException: SocketException cannot write on socket: Failed to write to socket: (-5987) Invalid function argument.
So its got the right hostname but its obviously not happy with something. In the web UI of machine B I have revoked all but the most recent cert for CN=sg-it-prod-dc-b-euw2az2.internal.example.com,O=INTERNAL.EXAMPLE.COM I still get the same error though. I thought maybe an old cert was causing the issue. In case is helpful I use LetEncrypt certs to provide HTTPS for the web UI. I feel like the certs shown in the web UI (Authentication > Certificates) are not my lets encrypt certs and instead are certs that FreeIPA creates. There is a total of 37 certs. If the prune command was working I could hopefully get this list down to only those that are needed. Although if I'm being honest I dont know what these certs are even used for. I only use FreeIPA for granting SSH access to Linux machines. I'm not using it as a CA but appreciate that it comes with CA built in. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
