[Freeipa-users] IPA server having cert issues

Bret Wortman bret.wortman at damascusgrp.com
Fri Apr 29 14:51:13 UTC 2016 

It is contacting the correct machine. I tried again by IP with the same 
results.

/etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.

Web UI won't load. CLI won't respond either. Commands just hang.

# netstat -ln | grep 443
tcp6           0     0 :::8443 :::*                     LISTEN
tcp6           2     0 :::443                    :::* LISTEN
# netstat -ln | grep 8009
tcp6           0     0 127.0.0.1:8009 :::*                     LISTEN
# curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
* Hostname was NOT found in DNS cache
*   Trying 192.168.208.53...
* Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
   CApath: none
(long hang at this point, so I ^C-ed)

# openssl s_client -connect zsipa.private.net:443 -CAfile 
/etc/ipa/ca.crt -verify 10
verify depth is 10
CONNECTED(00000003)
(long hang at this point, aborted again)

For the other (longer) logs, see http://pastebin.com/esBBKyGZ

Also, answering Christian's questions:

mod_ssl has not been installed.

# ss -tpln | grep 443
LISTEN      0       100                :::8443               :::*
users:(("java",pid=26522,fd=84))
LISTEN      13      128                :::443                :::*
users:(("httpd",pid=26323,fd=6))
#

On 04/29/2016 10:08 AM, Petr Vobornik wrote:
> On 04/29/2016 02:53 PM, Bret Wortman wrote:
>> Despite "ipactl status" indicating that all processes were running after
>> step 1, step 2 produces "Unable to establish SSL connection."
>>
>> Full terminal session is at http://pastebin.com/ZuNBHPy0
> Hm, it doesn't help me much.
>
> Does it contact the correct machine? I.e., is IP address OK?
>
> What is the result of:
>
> netstat -ln | grep 443
> netstat -ln | grep 8009
>
> Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf
>
> Try to run curl, maybe it will be more verbose, but probably not:
>
>    # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
>
> Christian(CCd), do you have any ideas?
>
> Could you look into /var/log/httpd/error_log or syslog(would try
> /var/log/message and journalctl), There might be more information about the:
> """
> status: NEED_TO_SUBMIT
> ca-error: Internal error
> """
> Which may help us with root culprit.
>
> Do web ui or CLI work?
>
>> On 04/29/2016 07:29 AM, Petr Vobornik wrote:
>>> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>>>> The date change was due (I think) to me changing the date back to 4/1
>>>> yesterday, though I left it there and haven't updated it again until
>>>> this morning, when I went back to 4/1 again.
>>>>
>>>> I put the results of the commands you requested at
>>>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
>>>> appreciate it.
>>>>
>>>>
>>>> Bret
>>> If I combine this and the previous output, it seems that:
>>>
>>> - PKI starts normally
>>> - ipactl has troubles with determining that PKI started and after 5mins
>>> of failed attempts it stops whole IPA (expected behavior when a service
>>> doesn't start)
>>>
>>> The failed attempt is:
>>> """
>>> ipa: DEBUG: Waiting until the CA is running
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>> '--no-check-certificate'
>>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'
>>> ipa: DEBUG: Process finished, return code=4
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=--2016-04-01 09:39:50--
>>> https://zsipa.private.net/ca/admin/ca/getStatus
>>> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
>>> Connecting to zsipa.private.net
>>> (zsipa.private.net)|192.168.208.53|:443... connected.
>>> Unable to establish SSL connection.
>>>
>>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
>>> exit status 4
>>> """
>>>
>>> It says "Unable to establish SSL connection", it would be good to get
>>> more details.
>>>
>>> Also given that the CA cert was renewed on April 3rd and that all certs
>>> expires after that date, we should rather use date April 4th when moving
>>> the date back.
>>>
>>> So first start IPA again (date April 4th) but force it to not stop
>>> services
>>>
>>> 1. ipactl start --force
>>> wait until all is started
>>> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate
>>> https://zsipa.private.net:443/ca/admin/ca/getStatus
>>>
>>> optionally (assuming that CA won't be turned of)
>>> 3. getcert list
>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/c01006b8/attachment.htm>

More information about the Freeipa-users mailing list