Could a ssl cert cause this issue?
References:
#1
https://pagure.io/freeipa/issue/7378
user comments - hcoin commented 6 months ago
>>"This issue is back as of 3/2021. Freeipa 4.9.2-4.fc33
SELinux=permissive as well"
Though my system is centos, freeipa version is the same and selinux is permissive
#2
https://access.redhat.com/solutions/5527751
Observations:
1. Cert on web page UI is not trusted.
2. Web page does not fully load.
3. My system does contain the java version listed in the kb
# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64
4. Trying to uninstall/disable dnssec master producess ssl error
[root@utility ~]# ipa-dns-install --disable-dnssec-master
The log file for this installation can be found in /var/log/ipaserver-dns-install.log
==============================================================================
This program will setup DNS for the IPA Server.
This includes:
* Configure DNS (bind)
* Configure SoftHSM (required by DNSSEC)
* Configure ipa-dnskeysyncd (required by DNSSEC)
* Unconfigure ipa-ods-exporter
* Unconfigure OpenDNSSEC
No new zones will be signed without DNSSEC key master IPA server.
Please copy file from /var/lib/ipa/ipa-kasp.db.backup after uninstallation. This file is
needed on new DNSSEC key
master server
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Do you want to disable current DNSSEC key master? [no]: yes
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip: 172.30.50.10
DNS forwarder 172.30.50.10 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
DNS forwarders: 172.30.50.10
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up kerberos principal
[5/8]: setting up named.conf
[6/8]: setting up server configuration
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Unconfiguring ods-enforcerd
Exporting DNSSEC data before uninstallation
Unconfiguring ipa-ods-exporter
Unexpected error - see /var/log/ipaserver-dns-install.log for details:
NetworkError: cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/search?size=2147483647': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)