I am seeing the "SSL Library Error: - 12271 SSL client cannot verify your
certificate "in /var/log/httpd/error_log" every time I try to access the
webui.
When I go to the web address auth.ethanlambert.info it just shows a blank
page with the text "Internal Server Error"
The reverse proxy is so that I can have one vm/machine per service, I like
the idea of self hosting my stuff and I would like single sign on for each
app so photos.ethanlambert.info, docs.ethanlambert.info, etc. and from what
I understand the easiest way to do that is a reverse proxy.
I will read the article and see what I can figure out from it.
Thanks!
On Tue, Aug 14, 2018 at 5:30 PM Ethan Lambert <preevete(a)gmail.com> wrote:
I am seeing the "SSL Library Error: - 12271 SSL client cannot
verify your
certificate "in /var/log/httpd/error_log" every time I try to access the
webui.
When I go to the web address auth.ethanlambert.info it just shows a blank
page with the text "Internal Server Error"
The reverse proxy is so that I can have one vm/machine per service, I like
the idea of self hosting my stuff and I would like single sign on for each
app so photos.ethanlambert.info, docs.ethanlambert.info, etc. and from
what I understand the easiest way to do that is a reverse proxy.
I will read the article and see what I can figure out from it.
Thanks!
On Tue, Aug 14, 2018 at 9:04 AM Rob Crittenden <rcritten(a)redhat.com>
wrote:
> Ethan Lambert via FreeIPA-users wrote:
> > I have FreeIPA running in a VM with a static IP assigned via dnsmasq
> with Traefik acting as a reverse proxy. I have traefik grabbing wildcard
> certs for the domain. However, it seems that FreeIPA does not like that as
> it has this error in the error log:
> >
> > `SSL Library Error: - 12271 SSL client cannot verify your certificate`
> >
> > I assume this is because the wildcard cert for the domain (
>
example.com/*.example.com) is not the cert that FreeIPA is expecting?
>
> Doubtful.
>
> We need more context. Where are you seeing this, the web UI,
> command-line, client enrollment?
>
> You are likely to also run into referrer issues. The IPA master(s) will
> need to verify that the Referrer in the request points to them.
>
> Can you explain why you need a reverse proxy?
>
> You should read
>
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
>
> >
> > When I try to access the web interface it returns: "Internal Server
> Error" and adds another entry of "SSL Library Error: = 12271 SSL client
> cannot verify your certificate"
> >
> > What should I do to fix this, there is the CA-less install (
>
https://www.freeipa.org/page/V3/CA-less_install )
> >
> > However that wants a long list of Certs (http_pkcs12, dirsrv_pkcs12,
> etc) and wants those at install, do I just have to reinstall? Will doing a
> CA-less install even fix my problem?
>
> This has nothing to with the IPA CA (or lack-thereof).
>
> rob
>