Hi Team,   Facing below error while upgrading the IPA server using ipa-server-upgrade command   Please let us know the fix if any , let us know if any more details required on the same   ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

Hi Rob, Certificates are valid in this case In Replica Server we have upgraded the packages Upgraded version VERSION: 4.6.8, API_VERSION: 2.237 Master Server Version: VERSION: 4.5.0, API_VERSION: 2.228 Note: Any new changes at Replica server not replicating/syncing/populating to master server Master ------> Replica [ Syncing or re-initialization happening ] Master <------ Replica [ Not Syncing/Replicating]

-----Original Message----- From: Rob Crittenden <rcritten(a)redhat.com&gt; Sent: 29 September 2022 23:18 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com&gt; Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, exception: NetworkError: cannot connect to https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > > > > Facing below error while upgrading the IPA server using > ipa-server-upgrade command > > > > Please let us know the fix if any , let us know if any more details > required on the same > > > > ipa-server-upgrade command failed, exception: NetworkError: cannot > connect to > 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) Some of your certificates are expired. getcert list will show you which. The possible solutions depend on your version of IPA. rob ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

Hi Rob, I didn’t change cert configuration not added any 3rd party certificates Here is the error for "ipa cert-show 1" [root@hostname ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

-----Original Message----- From: Rob Crittenden <rcritten(a)redhat.com&gt; Sent: 30 September 2022 02:00 To: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, exception: NetworkError: cannot connect to https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai wrote: > Hi Rob, > > Certificates are valid in this case > > In Replica Server we have upgraded the packages Upgraded version > VERSION: 4.6.8, API_VERSION: 2.237 > > Master Server Version: VERSION: 4.5.0, API_VERSION: 2.228 > > > Note: Any new changes at Replica server not > replicating/syncing/populating to master server > > Master ------> Replica [ Syncing or re-initialization happening ] > Master <------ Replica [ Not Syncing/Replicating] You're getting an error about failed certificate verification. Something is going wrong. Did you change a cert configuration? Add 3rd party certificates? Does ipa cert-show 1 succeed? Replication may be failing for the same reason, untrusted certificates. rob > > > > -----Original Message----- > From: Rob Crittenden <rcritten(a)redhat.com&gt; > Sent: 29 September 2022 23:18 > To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; > Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com&gt; > Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, > exception: NetworkError: cannot connect to > https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: >> Hi Team, >> >> >> >> Facing below error while upgrading the IPA server using >> ipa-server-upgrade command >> >> >> >> Please let us know the fix if any , let us know if any more details >> required on the same >> >> >> >> ipa-server-upgrade command failed, exception: NetworkError: cannot >> connect to >> 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: >> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > Some of your certificates are expired. getcert list will show you which. > > The possible solutions depend on your version of IPA. > > rob > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

Hi Rob, As I rechecked one of the certificate i.e. "Server-Cert cert-pki-ca" found and it was expired and all other certificates are valid Can you please share me the correct link / steps to renew only this certificate, this issue is on Replica server and all other certificates are valid Request ID '20221003093229': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://dir01.ipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=dir01.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2022-08-31 09:37:04 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes -----Original Message----- From: Rob Crittenden <rcritten(a)redhat.com&gt; Sent: 30 September 2022 20:38 To: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, exception: NetworkError: cannot connect to https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai wrote: > Hi Rob, > > I didn’t change cert configuration not added any 3rd party > certificates > > Here is the error for "ipa cert-show 1" > > [root@hostname ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (404) Well, your CA isn't running. You'll need to look in /var/log/pki/pki-tomcat/ca/debug.<date>.log. I'd recommend you begin looking at the last time it started (Initializing subsystem listeners) and work down. The CA tries really hard to start up and will charge forward past some errors so reading the log bottom up often won't show the real problem. I'd also re-verify that your certs are valid, getcert list. rob > > > > > -----Original Message----- > From: Rob Crittenden <rcritten(a)redhat.com&gt; > Sent: 30 September 2022 02:00 > To: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>; FreeIPA users > list <freeipa-users(a)lists.fedorahosted.org&gt; > Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, > exception: NetworkError: cannot connect to > https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Polavarapu Manideep Sai wrote: >> Hi Rob, >> >> Certificates are valid in this case >> >> In Replica Server we have upgraded the packages Upgraded version >> VERSION: 4.6.8, API_VERSION: 2.237 >> >> Master Server Version: VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> Note: Any new changes at Replica server not >> replicating/syncing/populating to master server >> >> Master ------> Replica [ Syncing or re-initialization happening ] >> Master <------ Replica [ Not Syncing/Replicating] > > You're getting an error about failed certificate verification. Something is going wrong. Did you change a cert configuration? Add 3rd party certificates? > > Does ipa cert-show 1 succeed? > > Replication may be failing for the same reason, untrusted certificates. > > rob >> >> >> >> -----Original Message----- >> From: Rob Crittenden <rcritten(a)redhat.com&gt; >> Sent: 29 September 2022 23:18 >> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; >> Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com&gt; >> Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, >> exception: NetworkError: cannot connect to >> https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: >> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >> >> >> CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. >> >> >> >> >> Polavarapu Manideep Sai via FreeIPA-users wrote: >>> Hi Team, >>> >>> >>> >>> Facing below error while upgrading the IPA server using >>> ipa-server-upgrade command >>> >>> >>> >>> Please let us know the fix if any , let us know if any more details >>> required on the same >>> >>> >>> >>> ipa-server-upgrade command failed, exception: NetworkError: cannot >>> connect to >>> 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: >>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >> >> Some of your certificates are expired. getcert list will show you which. >> >> The possible solutions depend on your version of IPA. >> >> rob >> >> ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Hi Florence, Thanks for the reply My Renewal Master Server is aaa01 My Replica Server is dircvas01 [root@dircvas01~]# ipa config-show | grep "renewal master" IPA CA renewal master: aaa01.ipa.example.com [root@dircvas01~]# I have taken a backup of /etc/pki/pki-tomcat/alias And now when I run ipa-cert-fix on dircvas01(Replica), will it impact on other nodes pki-tomcat service which are in the replication and on master server(aaa01) ?

*From:* Florence Blanc-Renaud <flo(a)redhat.com&gt; *Sent:* 04 October 2022 12:22 *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; *Cc:* Rob Crittenden <rcritten(a)redhat.com>; Polavarapu Manideep Sai < manideep.sai(a)onmobile.com&gt; *Subject:* Re: [Freeipa-users] Re: Help ipa-server-upgrade command failed, exception: NetworkError: cannot connect to https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) *CAUTION.* This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Hi, if the replica has a version > ipa 4.6.6, you can use the tool ipa-cert-fix. Start by a backup of the certificate NSS database /etc/pki/pki-tomcat/alias, carefully read the man page and run the tool on the replica. HTH, flo On Mon, Oct 3, 2022 at 4:59 PM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org&gt; wrote: Hi Rob, As I rechecked one of the certificate i.e. "Server-Cert cert-pki-ca" found and it was expired and all other certificates are valid Can you please share me the correct link / steps to renew only this certificate, this issue is on Replica server and all other certificates are valid Request ID '20221003093229': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://dir01.ipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=dir01.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2022-08-31 09:37:04 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes -----Original Message----- From: Rob Crittenden <rcritten(a)redhat.com&gt; Sent: 30 September 2022 20:38 To: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, exception: NetworkError: cannot connect to https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai wrote: > Hi Rob, > > I didn’t change cert configuration not added any 3rd party > certificates > > Here is the error for "ipa cert-show 1" > > [root@hostname ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (404) Well, your CA isn't running. You'll need to look in /var/log/pki/pki-tomcat/ca/debug.<date>.log. I'd recommend you begin looking at the last time it started (Initializing subsystem listeners) and work down. The CA tries really hard to start up and will charge forward past some errors so reading the log bottom up often won't show the real problem. I'd also re-verify that your certs are valid, getcert list. rob > > > > > -----Original Message----- > From: Rob Crittenden <rcritten(a)redhat.com&gt; > Sent: 30 September 2022 02:00 > To: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>; FreeIPA users > list <freeipa-users(a)lists.fedorahosted.org&gt; > Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, > exception: NetworkError: cannot connect to > https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Polavarapu Manideep Sai wrote: >> Hi Rob, >> >> Certificates are valid in this case >> >> In Replica Server we have upgraded the packages Upgraded version >> VERSION: 4.6.8, API_VERSION: 2.237 >> >> Master Server Version: VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> Note: Any new changes at Replica server not >> replicating/syncing/populating to master server >> >> Master ------> Replica [ Syncing or re-initialization happening ] >> Master <------ Replica [ Not Syncing/Replicating] > > You're getting an error about failed certificate verification. Something is going wrong. Did you change a cert configuration? Add 3rd party certificates? > > Does ipa cert-show 1 succeed? > > Replication may be failing for the same reason, untrusted certificates. > > rob >> >> >> >> -----Original Message----- >> From: Rob Crittenden <rcritten(a)redhat.com&gt; >> Sent: 29 September 2022 23:18 >> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; >> Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com&gt; >> Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, >> exception: NetworkError: cannot connect to >> https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: >> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >> >> >> CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. >> >> >> >> >> Polavarapu Manideep Sai via FreeIPA-users wrote: >>> Hi Team, >>> >>> >>> >>> Facing below error while upgrading the IPA server using >>> ipa-server-upgrade command >>> >>> >>> >>> Please let us know the fix if any , let us know if any more details >>> required on the same >>> >>> >>> >>> ipa-server-upgrade command failed, exception: NetworkError: cannot >>> connect to >>> 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: >>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >> >> Some of your certificates are expired. getcert list will show you which. >> >> The possible solutions depend on your version of IPA. >> >> rob >> >> ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ------------------------------ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.