[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Fri Apr 29 12:53:24 UTC 2016
Despite "ipactl status" indicating that all processes were running after
step 1, step 2 produces "Unable to establish SSL connection."
Full terminal session is at http://pastebin.com/ZuNBHPy0
On 04/29/2016 07:29 AM, Petr Vobornik wrote:
> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>> The date change was due (I think) to me changing the date back to 4/1
>> yesterday, though I left it there and haven't updated it again until
>> this morning, when I went back to 4/1 again.
>>
>> I put the results of the commands you requested at
>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
>> appreciate it.
>>
>>
>> Bret
> If I combine this and the previous output, it seems that:
>
> - PKI starts normally
> - ipactl has troubles with determining that PKI started and after 5mins
> of failed attempts it stops whole IPA (expected behavior when a service
> doesn't start)
>
> The failed attempt is:
> """
> ipa: DEBUG: Waiting until the CA is running
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'
> ipa: DEBUG: Process finished, return code=4
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=--2016-04-01 09:39:50--
> https://zsipa.private.net/ca/admin/ca/getStatus
> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
> Connecting to zsipa.private.net
> (zsipa.private.net)|192.168.208.53|:443... connected.
> Unable to establish SSL connection.
>
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
> exit status 4
> """
>
> It says "Unable to establish SSL connection", it would be good to get
> more details.
>
> Also given that the CA cert was renewed on April 3rd and that all certs
> expires after that date, we should rather use date April 4th when moving
> the date back.
>
> So first start IPA again (date April 4th) but force it to not stop services
>
> 1. ipactl start --force
> wait until all is started
> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate
> https://zsipa.private.net:443/ca/admin/ca/getStatus
>
> optionally (assuming that CA won't be turned of)
> 3. getcert list
>
More information about the Freeipa-users
mailing list