tipex tipex via FreeIPA-users wrote: > Interesting. I ran sudo pki securitydomain-show on machine B and got the > following error: > ERROR: UNKNOWN_ISSUER encountered on > 'CN=sg-it-prod-dc-b-euw2az2.internal.example.com,O=INTERNAL.EXAMPLE.COM' > results in a denied SSL server cert! > SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE > IOException: SocketException cannot write on socket: Failed to write to > socket: (-5987) Invalid function argument.
pki client init certutil -A -d ~/.dogtag/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt That should do it. > > So its got the right hostname but its obviously not happy with something. In > the web UI of machine B I have revoked all but the most recent cert for > CN=sg-it-prod-dc-b-euw2az2.internal.example.com,O=INTERNAL.EXAMPLE.COM > I still get the same error though. I thought maybe an old cert was causing > the issue. To be clear, you do not need to revoke old certificates. All it is doing is updating the status in LDAP and they will be in the CRL. It does nothing operationally unless you are enforcing OCSP/CRL usage (unlikely). The cert status is completely independent of the healthcheck warning you are seeing. Note too that that particular check has been retired by the PKI team. So you can ignore it, or see if running my suggested commands let you peek at the securitydomain. > > In case is helpful I use LetEncrypt certs to provide HTTPS for the web UI. I > feel like the certs shown in the web UI (Authentication > Certificates) are > not my lets encrypt certs and instead are certs that FreeIPA creates. There > is a total of 37 certs. If the prune command was working I could hopefully > get this list down to only those that are needed. Although if I'm being > honest I dont know what these certs are even used for. I only use FreeIPA for > granting SSH access to Linux machines. I'm not using it as a CA but > appreciate that it comes with CA built in. > Pruning only removes expired certificates, with the purpose to keep the database from infinitely growing in the era of short-lived certificates. 37 is basically nothing in terms of size. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
