Thanks to all for the fix, you save my day!
Le 25/12/2021 à 17:06, Dungan, Scott A. via FreeIPA-users a écrit :
Hi, Per.
I ran into the same problem and Alexander referred me to this link:
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg1258...
The fix for us was is pretty easy:
1. Make a backup of /etc/pki/pki-tomcat/server.xml
2. On lines 129 and 171 of server.xml, you’ll see a value for
“secret=” and “sharedSecret=.” Those values will be different and
that is the cause of the problem. Both values should match what is
found in the ProxyPassMatch statements located in the file
/etc/httpd/conf.d/ipa-pki-proxy.conf. In my case, the value for
secret= was correct and I just had to change the sharedSecert= to
match.
3. Restart services with ipactl restart
-Scott
*From:* Per Qvindesland via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
*Sent:* Wednesday, December 22, 2021 7:22 AM
*To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
*Cc:* Per Qvindesland <perq(a)icloud.com>
*Subject:* [Freeipa-users] SSL error after upgrade
Hi All
After an update to 4.9.6-10, I am unable to view any of the
certificates that the IPA server has signed, I get error: An error has
occurred (IPA Error 4301: CertificateOperationError) when I click on
Authnticaiton -> Certificates, if I click on "Certificate Autorities"
then I get popup message with the error "Failed to authenticate to CA
REST API" and "An error has occurred (IPA Error 4016:
RemoteRetrieveError)" is showing on the screen.
ipactl status is showing everything as running:
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Does anyone know what's causing this error?
I ran ipa-healthcheck and pasted the output below, it reports that
it's missing SRV records but the IPA server is the DNS server and it
has the SRV records.
Regards
Per
ipa-healthcheck
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "ac0200eb-3ec8-405f-ba5e-523cbb40ad6b",
"when": "20211222151125Z",
"duration": "0.016156",
"kw": {
"msg": "Request for certificate failed, Certificate operation
cannot be completed: Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "2f010c35-7d7d-431f-89b0-c342516cf296",
"when": "20211222151130Z",
"duration": "0.412221",
"kw": {
"key": "20211104170633",
"serial": 7,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "10a946e2-e511-417a-b189-a66f1b555470",
"when": "20211222151130Z",
"duration": "0.519989",
"kw": {
"key": "20211104170628",
"serial": 5,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "7c85e383-8508-4b8e-a10b-838b0b70eb73",
"when": "20211222151130Z",
"duration": "0.618106",
"kw": {
"key": "20211104170629",
"serial": 2,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1776678c-d997-435b-b809-52576128a2e9",
"when": "20211222151130Z",
"duration": "0.709013",
"kw": {
"key": "20211104170630",
"serial": 4,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "f02ff5d9-13cf-4582-9bd3-7567b32c415d",
"when": "20211222151130Z",
"duration": "0.789825",
"kw": {
"key": "20211104170631",
"serial": 1,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d30b17b3-f45e-4317-bf8e-c1c13c3f77e3",
"when": "20211222151131Z",
"duration": "0.903311",
"kw": {
"key": "20211104170632",
"serial": 3,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "32ff9bb7-69b8-4af3-8c20-9f2ab4394a73",
"when": "20211222151131Z",
"duration": "0.969296",
"kw": {
"key": "20211104170635",
"serial": 34,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "18fb96f0-7a64-4c1c-b03b-bb21e3f90bf1",
"when": "20211222151131Z",
"duration": "1.065584",
"kw": {
"key": "20211104170634",
"serial": 8,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d82cdf6d-4d4b-44e4-9aa8-33211aa55c96",
"when": "20211222151131Z",
"duration": "1.116597",
"kw": {
"key": "20210811074531",
"serial": 10,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "cc0c7d5c-1132-4b18-ac8e-c7625d3963f0",
"when": "20211222151131Z",
"duration": "0.015692",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_ldap._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "f0d6873f-b681-457d-8006-9e5bb051b9df",
"when": "20211222151131Z",
"duration": "0.017296",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "92a5517d-5f73-4f49-8874-bf6bbeb2ed9d",
"when": "20211222151131Z",
"duration": "0.018275",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "7f1994fb-e1dc-4d8c-93c5-5ba2e6652427",
"when": "20211222151131Z",
"duration": "0.019243",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos-master._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "e9bbd202-8f37-4a44-b9b0-377ae5a53d08",
"when": "20211222151131Z",
"duration": "0.020150",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos-master._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "2d4a438f-6271-470e-a6f5-68a30858d928",
"when": "20211222151131Z",
"duration": "0.021502",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kpasswd._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "828efbaf-2071-4693-94f4-0e4c2ec884c0",
"when": "20211222151131Z",
"duration": "0.022772",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kpasswd._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b0a73e45-da65-43a6-a540-8e092e3e4d76",
"when": "20211222151131Z",
"duration": "0.023895",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "3329eea5-c794-4201-a973-82f22b58f151",
"when": "20211222151131Z",
"duration": "0.025341",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_ldap._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "dde9dd12-e044-4bde-a75f-2ea4d96910dc",
"when": "20211222151131Z",
"duration": "0.027364",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "9ebec84f-aa7d-4ba9-8c4e-ca8dd2aa98c8",
"when": "20211222151131Z",
"duration": "0.029421",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "cd921441-98bf-4fc1-a043-ed35a056e818",
"when": "20211222151131Z",
"duration": "0.030800",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "93f21c35-a10d-418b-a549-c0c70d6330cd",
"when": "20211222151131Z",
"duration": "0.031808",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos._udp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "331ef74f-e5d6-47d8-a666-a352320772de",
"when": "20211222151131Z",
"duration": "0.034319",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 0,
"expected": 1
}
}
]
_______________________________________________
FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanchet(a)abes.fr