Have had a small FreeIPA setup running for some time, but today I was unable to login at
the web-gui on the master. It was possible to login at the replica but if try to delete a
host I get:
cannot connect to
'https://ipa.int.vink-slott.dk:443/ca/rest/certs/search?size=2147483647': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
Indeed if I run a getcert list -c IPA on the master, one certificate is expired.
Request ID '20190302094604':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK
subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK
expires: 2019-04-22 15:33:08 CEST
dns: ipa.int.vink-slott.dk
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
All other certificates is valid and status: MONITORING
I tried different measures based on google searches and old entries on this list. But all
I have accomplished is to change the state to:
Request ID '20190302094604':
status: NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pin
set
At this state I am not sure that I added the correct pin. - And why this is suddenly a
problem.
Show replies by thread