Den 01/05/2019 kl. 21.48 skrev Rob Crittenden via FreeIPA-users:
Klaus Vink Slott via FreeIPA-users wrote:
> Have had a small FreeIPA setup running for some time, but today I was unable to login
at the web-gui on the master. It was possible to login at the replica but if try to delete
a host I get:
>
> cannot connect to
'https://ipa.int.vink-slott.dk:443/ca/rest/certs/search?size=2147483647': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
>
> Indeed if I run a getcert list -c IPA on the master, one certificate is expired.
> Request ID '20190302094604':
> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
> stuck: yes
> key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key'
> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK
> subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK
> expires: 2019-04-22 15:33:08 CEST
> dns: ipa.int.vink-slott.dk
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> All other certificates is valid and status: MONITORING
>
> I tried different measures based on google searches and old entries on this list. But
all I have accomplished is to change the state to:
> Request ID '20190302094604':
> status: NEED_KEYINFO_READ_PIN
> stuck: yes
> key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pin set
>
> At this state I am not sure that I added the correct pin. - And why this is suddenly
a problem.
It depends very much on what version of IPA you are running, perhaps the
distro, and what you did to get the tracking into this state.
It is freeipa-server-4.7.2-1.1.fc28.x86_64 on a fully patched Fedora 28
What I tried so far (rebuild from memory and bash-history):
# ipa-getcert resubmit -i 20190302094604
- result:
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN -> NEED_KEYINFO_READ_PIN
Then I followed
https://access.redhat.com/solutions/3939431
- no change
Then I located pin in /etc/pki/pki-tomcat/password.conf and
/etc/httpd/conf/password.conf and tried to add these like this:
# getcert start-tracking -i 20190302094604 -P \
# [long-number from internal=]
# ipa-getcert resubmit -i 20190302094604
- result: key pair storage now have " ,pin set"
# getcert start-tracking -i 20190302094604 -P \
# [hexstring from internal:]
- result: key pair storage now have " ,pin set"
--
Klaus