Ok, helps if I have the package installed.
[root@utility certs]# curl
https://utility.idm.nac-issa.org/
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here:
https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[root@utility certs]# update-ca-trust
[root@utility certs]# ausearch -m AVC -ts recent
<no matches>
[root@utility certs]# ipa-healthcheck
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "be10c3a6-3f99-4d36-bccb-9d1174c1b114",
"when": "20210910144648Z",
"duration": "0.011192",
"kw": {
"msg": "Request for certificate failed, cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/1': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "7aa396d3-5cdf-4063-b224-8c315babd327",
"when": "20210910144649Z",
"duration": "0.618589",
"kw": {
"key": "20210828145523",
"hostname": "ipa-ca.idm.nac-issa.org",
"san": [
"utility.idm.nac-issa.org"
],
"ca": "IPA",
"profile": "caIPAserviceCert",
"msg": "Certificate request id {key} with profile {profile} for CA
{ca} does not have a DNS SAN {san} matching name {hostname}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c6bc75d1-4893-4a8e-b254-2c559e2c0779",
"when": "20210910144651Z",
"duration": "0.381867",
"kw": {
"key": "20210828145521",
"serial": 7,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/7': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "6fedbc8f-094e-4eae-b29b-7891c3f9f11a",
"when": "20210910144651Z",
"duration": "0.463171",
"kw": {
"key": "20210828145516",
"serial": 5,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/5': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "00da2610-a4e9-456c-aaad-ac995832c2c5",
"when": "20210910144651Z",
"duration": "0.545099",
"kw": {
"key": "20210828145517",
"serial": 2,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/2': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "251a2f9e-074e-43d4-bf1f-7e411b39093e",
"when": "20210910144651Z",
"duration": "0.625172",
"kw": {
"key": "20210828145518",
"serial": 4,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/4': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "bafd792c-cfb1-4d25-92d1-b250552e83d1",
"when": "20210910144651Z",
"duration": "0.704938",
"kw": {
"key": "20210828145519",
"serial": 1,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/1': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "e5bddcdc-8111-4630-96a6-cada06ae4046",
"when": "20210910144651Z",
"duration": "0.785690",
"kw": {
"key": "20210828145520",
"serial": 3,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/3': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3cb7cfaa-c57b-4bc0-a11d-f563c2e6c169",
"when": "20210910144651Z",
"duration": "0.825071",
"kw": {
"key": "20210828145523",
"serial": 9,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/9': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "0a500c25-3e7e-4b1e-8222-481d7d9b18dd",
"when": "20210910144651Z",
"duration": "0.904579",
"kw": {
"key": "20210828145522",
"serial": 8,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/8': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5d36a93e-3749-4426-a30e-90cfba800180",
"when": "20210910144651Z",
"duration": "0.945219",
"kw": {
"key": "20201123010735",
"serial": 10,
"error": "cannot connect to
'https://utility.idm.nac-issa.org:443/ca/rest/certs/10': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "fd0184fc-d7a5-4a63-97a3-1d02cac8d553",
"when": "20210910144652Z",
"duration": "0.006090",
"kw": {
"key": "S-1-5-21-1078894834-642791778-300953666",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
}
]
________________________________
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Friday, September 10, 2021 9:33 AM
To: Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running
ipa-dns-install? (Was - Unable to start directory server after updates)
Jeremy Tourville wrote:
[root@utility certs]# ipa-certupdate
cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
The ipa-certupdate command failed.
Sort of a bad catch 22 I guess?
Yeah, I was afraid of that.
Let's walk through it. Try a simple command for another data point. I'm
not sure what we'd do with this but it will exercise the system-wide
trust as well:
$ curl https://`hostname`/
Rebuilding the CA trust db may help
# update-ca-trust
I suppose also look for AVCs in case something is way out-of-whack:
# ausearch -m AVC -ts recent
ipa-healthcheck may be something to try as well but you're likely to get
a crapton of false positives since it can't talk to the web interface.
rob
------------------------------------------------------------------------
*From:* Rob Crittenden <rcritten(a)redhat.com>
*Sent:* Friday, September 10, 2021 9:09 AM
*To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
list <freeipa-users(a)lists.fedorahosted.org>
*Cc:* Florence Renaud <flo(a)redhat.com>
*Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
running ipa-dns-install? (Was - Unable to start directory server after
updates)
Jeremy Tourville wrote:
> Now I understand how to test the cert(s) after re-reading your comments
> Rob and Flo 🙂
>
> [root@utility certs]# openssl verify -verbose -show_chain -CAfile
> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt
> /var/lib/ipa/certs/httpd.crt: OK
> Chain:
> depth=0: O =
IDM.NAC-ISSA.ORG, CN =
utility.idm.nac-issa.org (untrusted)
> depth=1: O =
IDM.NAC-ISSA.ORG, CN = Certificate Authority
I'd try running ipa-certupdate. I have the feeling some of the
system-wide certificates are out-of-sync.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Sent:* Thursday, September 9, 2021 5:45 PM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden
<rcritten(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Oh wait!!! Which set of certs do I need to test against for my
> certificate chain?
> I realized I didn't include the proper path when testing. It should be
> something like-
>
> # openssl verify -verbose -show_chain -CAfile <path to root or
> intermediate cert> /etc/ipa/ca.crt
> # openssl verify -verbose -show_chain -CAfile <path to root or
> intermediate cert> /var/lib/ipa/certs/httpd.crt
>
> This would give you output (presuming you are using the correct set of
> certs)
> /etc/ipa/ca.crt: OK
> /var/lib/ipa/certs/httpd.crt: OK
>
> Which path contains the intermediate or root CA certs I need to test
> against?
>
> [root@utility ~]# ls -la | find / -name *.crt
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> /etc/pki/ca-trust/source/ca-bundle.legacy.crt
> /etc/pki/tls/certs/ca-bundle.crt
> /etc/pki/tls/certs/ca-bundle.trust.crt
> /etc/pki/tls/certs/localhost.crt
> /etc/pki/pki-tomcat/alias/ca.crt
> /etc/ipa/ca.crt
> /etc/dirsrv/ssca/ca.crt
> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
> /var/lib/ipa/certs/httpd.crt
> /var/kerberos/krb5kdc/kdc.crt
> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
> /usr/share/ipa/html/ca.crt
>
>
> ------------------------------------------------------------------------
> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Sent:* Thursday, September 9, 2021 3:13 PM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden
<rcritten(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
>>>>It isn't complaining that the certificate isn't valid, it's
complaining
> that it isn't trusted.
> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I
> was thinking about it wrong at the time of my reply.
>
> I attempted to verify trust-
> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
> /etc/ipa/ca.crt
> ^C
> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
> /var/lib/ipa/certs/httpd.crt
> ^C
>
> As you can see, no output, so yeah, they are not trusted.
>
>>>Where did httpd.crt come from/what issuer?
> I recall not using a 3rd party CA. The certs were just self-signed when
> the ipa server was initially built. I never did replace the certs as it
> wasn't required for our situation.
>
> Next steps I guess would be to generate some new certs? Thoughts?
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten(a)redhat.com>
> *Sent:* Thursday, September 9, 2021 12:53 PM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>; Jeremy Tourville
> <jeremy_tourville(a)hotmail.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Jeremy Tourville via FreeIPA-users wrote:
>> /var/lib/ipa/certs/httpd.crt
>> looks valid and has a 3 year validity date starting from Nov 23, 2020
>>
>> /etc/ipa/ca.crt
>> looks valid and has a 20 year validity date starting from Nov 23, 2020
>
> It isn't complaining that the certificate isn't valid, it's complaining
> that it isn't trusted. You also need to look at the signer and ensure
> that the system trusts it globally. Where did httpd.crt come from/what
> issuer?
>
> You might try running:
>
> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
> /var/lib/ipa/certs/httpd.crt
>
> See the default.conf(5) man page for a description of default.conf,
> server.conf, etc. In this case server is a context so the configuration
> only applies there.
>
> rob
>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Florence Renaud <flo(a)redhat.com>
>> *Sent:* Tuesday, September 7, 2021 11:38 AM
>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>> Hi Jeremy,
>>
>> to enable debugging you can simply create /etc/ipa/server.conf if the
>> file does not exist:
>> # cat /etc/ipa/server.conf
>> [global]
>> debug=True
>> # systemctl restart httpd
>>
>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
>> examine its content with
>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
>> If the IPA deployment includes an embedded CA, the CA that issued the
>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
>> openssl command.
>>
>> flo
>>
>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
>> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>>
wrote:
>>
>> I think I see the issue but I am unsure what to do to fix it. See
>> below.
>>
>> To answer your question, yes I did accept the security exception.
>>
>> Also, I don't see a server.conf file at /etc/ipa so that I may
>> enable debugging. What can you suggest for this issue?
>>
>>
>> [root@utility ~]# ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> httpd Service: RUNNING
>> ipa-custodia Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-ods-exporter Service: STOPPED
>> ods-enforcerd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> [root@utility ~]# kinit admin
>> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>>
>> [root@utility ~]# klist
>> Ticket cache: KCM:0:43616
>> Default principal: admin(a)IDM.NAC-ISSA.ORG
>> <mailto:admin@IDM.NAC-ISSA.ORG>
>>
>> Valid starting Expires Service principal
>> 09/07/2021 10:59:23 09/08/2021 10:09:04
>> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
>> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>>
>> [root@utility ~]# ipa config-show
>> ipa: ERROR: cannot connect to
>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Florence Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>>
>> *Sent:* Tuesday, September 7, 2021 10:47 AM
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>>
>> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
>> <mailto:jeremy_tourville@hotmail.com>>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
>> after running ipa-dns-install? (Was - Unable to start directory
>> server after updates)
>>
>> Hi Jeremy,
>> Did you accept the security exception displayed by the browser (I'm
>> trying to eliminate obvious issues)?
>> If nothing is displayed, can you check if ipa command-line is
>> working as expected (for instance do "kinit admin; ipa
config-show")?
>> You may want to enable debug logs (add debug=True to the [global]
>> section of /etc/ipa/server.conf and restart httpd service), retry
>> WebUI authentication and check the generated logs in
>> /var/log/http/error_log
>>
>> flo
>>
>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>> OK,
>> Why don't I see anything on the initial login page?
>> All I see is the URL and the fact that the certificate is not
>> trusted. The certificate is not expired yet. Not until Nov 2021.
>> The login in page is mostly solid white with no login or
>> password field.
>> _______________________________________________
>> FreeIPA-users mailing list --
>> freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
>>
https://pagure.io/fedora-infrastructure
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>>
>