I have few months old freeipa installation. However, lately when I came back to continue my administration with IPA server I cannot login to it.
DNS is working in my private network without problem even I cannot login to IPA system. I'm using letsencrypt certs in the httpd setup.
$ ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
$ klist
Ticket cache: KCM:0
Default principal: admin@EXAMPLE.COM
Valid starting Expires Service principal
31.08.2020 16.12.30 01.09.2020 16.12.25 krbtgt/EXAMPLE.COM@EXAMPLE.COM
$ ipa -v ping
ipa: ERROR: cannot connect to 'https://serenity.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
cat /var/log/httpd/error_log
[Mon Aug 31 16:31:30.125325 2020] [wsgi:error] [pid 9761:tid 139962713196288] [remote 10.0.12.31:58490] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='serenity.example.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
Web ui login :
Login failed due to an unknown reason
Note: I've changed my domain realm to example.com
What is causing this problem and how to fix it ?
Best Answer
Look at the contents of:
There should be multiple certs in each if you are using letsencrypt for https and a self-signed CA. clients registered before I added the letsencrypt root CAs were missing the extra certs from these 3 files.
I referenced https://github.com/freeipa/freeipa-letsencrypt for switching to letsencrypt, which has ipa-cacert-manage (to add the root CAs to freeipa's trust) and ipa-certupdate (to pull all certs in the freeipa trust down to the client) what I realized later is I should have run the ipa-certupdate on every client before flipping https to use letsencrypt.