Ethan Lambert via FreeIPA-users wrote:
I have FreeIPA running in a VM with a static IP assigned via dnsmasq
with Traefik acting as a reverse proxy. I have traefik grabbing wildcard certs for the
domain. However, it seems that FreeIPA does not like that as it has this error in the
error log:
`SSL Library Error: - 12271 SSL client cannot verify your certificate`
I assume this is because the wildcard cert for the domain (
example.com/*.example.com) is
not the cert that FreeIPA is expecting?
Doubtful.
We need more context. Where are you seeing this, the web UI,
command-line, client enrollment?
You are likely to also run into referrer issues. The IPA master(s) will
need to verify that the Referrer in the request points to them.
Can you explain why you need a reverse proxy?
You should read
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
When I try to access the web interface it returns: "Internal Server Error" and
adds another entry of "SSL Library Error: = 12271 SSL client cannot verify your
certificate"
What should I do to fix this, there is the CA-less install (
https://www.freeipa.org/page/V3/CA-less_install )
However that wants a long list of Certs (http_pkcs12, dirsrv_pkcs12, etc) and wants those
at install, do I just have to reinstall? Will doing a CA-less install even fix my problem?
This has nothing to with the IPA CA (or lack-thereof).
rob