I came to the team new and don’t know the background, as to what all had been done, and
recently we started getting one issue in DR environment:
Using IPA 3.0.0 in both PROD/DR
While trying to delete a host using IPA-UI or CLI, it is giving SSL error in DR(working in
Prod):
cannot connect to 'https://hostname:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
I set the debug mode and on making request: (ipa ping), I can see below error:
ipa: INFO: Connection to https:hostnmae/ipa/xml failed with (SSL_ERROR_RX_RECORD_TOO_LONG)
SSL received a record that exceeded the maximum permissible length.
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None):
https://hostname, https:hostname1/ipa/xml
On troubleshooting, came across
this(https://www.freeipa.org/page/Troubleshooting#Authentication_Errors):
Ran below on DR:
Use getcert list -d /etc/httpd/alias -n ipaCert
Request ID '20170303094036':
status: MONITORING
stuck: no
------------------------------------
OK, till here, it means certificate nick-named ipaCert is being managed by Certmonger
If it isn't in MONITORING, or it is and things still aren't working, compare the
serial number of the certificate with that on other IPA masters:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
certutil: Could not find cert: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found
So, something is wrong here.
In PROD, it works fine:
[root@ProdHostName ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 7 (0x7)
Further, investing the issue on DR:
On DR:
[root@DRHostName ipacerts]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Internal_Issuing_CA CT,C,C
Internal_Root_CA CT,C,C
DRHostName u,u,u
On PROD:
[root@ProdHostName ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
FQDN IPA CA CT,C,C
ipaCert u,u,u
Signing-Cert u,u,u
Server-Cert u,u,u
I am not sure, but certificate - ‘ipaCert’ not being shown on using ‘certutil’ command
seems to be an issue, need guidelines to understand, whether my investigation is on
current line and if yes, how to resolve this.
Will be happy to provide the output of any command or log-file.
Thanks,
Amit.