[Freeipa-users] IPA server having cert issues
Christian Heimes
cheimes at redhat.com
Fri Apr 29 14:24:29 UTC 2016
On 2016-04-29 16:08, Petr Vobornik wrote:
> On 04/29/2016 02:53 PM, Bret Wortman wrote:
>> Despite "ipactl status" indicating that all processes were running after
>> step 1, step 2 produces "Unable to establish SSL connection."
>>
>> Full terminal session is at http://pastebin.com/ZuNBHPy0
>
> Hm, it doesn't help me much.
>
> Does it contact the correct machine? I.e., is IP address OK?
>
> What is the result of:
>
> netstat -ln | grep 443
> netstat -ln | grep 8009
>
> Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf
>
> Try to run curl, maybe it will be more verbose, but probably not:
>
> # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
>
> Christian(CCd), do you have any ideas?
Is Apache HTTPD running and listening on 443/TCP?
$ ss -tpln | grep 443
Did you install mod_ssl by any chance? FreeIPA uses mod_nss. mod_ssl can
disrupt TLS services.
The openssl client tool shows more debug information than curl:
openssl s_client -connect zsipa.private.net:443 -CAfile /etc/ipa/ca.crt
-verify 10
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/85d8ea15/attachment.sig>
More information about the Freeipa-users
mailing list