SRM via FreeIPA-users wrote:
Thanks for your reply. Here is the output of "kinit admin; ipa cert-show 1": ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@ourorg.COM' ipa: INFO: trying https://login1.ourorg.com/ipa/json ipa: DEBUG: Created connection context.rpcclient_140248688553680 ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://login1.ourorg.com/ipa/json' ipa: DEBUG: HTTP connection destroyed (login1.ourorg.com) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 694, in single_request h = self.make_connection(host) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 573, in make_connection conn.connect() File "/usr/lib64/python2.7/httplib.py", line 1275, in connect server_hostname=sni_hostname) File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket _context=self) File "/usr/lib64/python2.7/ssl.py", line 609, in __init__ self.do_handshake() File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) ipa: DEBUG: Destroyed connection context.rpcclient_140248688553680 ipa: ERROR: cannot connect to 'https://login1.ourorg.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
And output of "ipactl status", note as I mentioned in the first post pki-tomcatd service was failing even before certificates got expired.
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
We need to start by getting the CA running properly while back in time when the certs are still valid. There is no way to re-issue the certificates without it.
Can you share the logging and output from your verification of the pki subsystem certificate?
rob