[Freeipa-users] IPA server having cert issues

Petr Vobornik pvoborni at redhat.com
Fri Apr 29 12:58:41 UTC 2016 

On 04/29/2016 02:53 PM, Bret Wortman wrote:
> Despite "ipactl status" indicating that all processes were running after
> step 1, step 2 produces "Unable to establish SSL connection."
> 
> Full terminal session is at http://pastebin.com/ZuNBHPy0
> 
> On 04/29/2016 07:29 AM, Petr Vobornik wrote:
>> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>>> The date change was due (I think) to me changing the date back to 4/1
>>> yesterday, though I left it there and haven't updated it again until
>>> this morning, when I went back to 4/1 again.
>>>
>>> I put the results of the commands you requested at
>>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
>>> appreciate it.

I cannot view the pastebin:
"""
This is a private paste. If you created this paste, please login to view it.
"""

>>>
>>>
>>> Bret
>> If I combine this and the previous output, it seems that:
>>
>> - PKI starts normally
>> - ipactl has troubles with determining that PKI started and after 5mins
>> of failed attempts it stops whole IPA (expected behavior when a service
>> doesn't start)
>>
>> The failed attempt is:
>> """
>> ipa: DEBUG: Waiting until the CA is running
>> ipa: DEBUG: Starting external process
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'
>> ipa: DEBUG: Process finished, return code=4
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=--2016-04-01 09:39:50--
>> https://zsipa.private.net/ca/admin/ca/getStatus
>> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
>> Connecting to zsipa.private.net
>> (zsipa.private.net)|192.168.208.53|:443... connected.
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
>> exit status 4
>> """
>>
>> It says "Unable to establish SSL connection", it would be good to get
>> more details.
>>
>> Also given that the CA cert was renewed on April 3rd and that all certs
>> expires after that date, we should rather use date April 4th when moving
>> the date back.
>>
>> So first start IPA again (date April 4th) but force it to not stop
>> services
>>
>> 1. ipactl start --force
>> wait until all is started
>> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate
>> https://zsipa.private.net:443/ca/admin/ca/getStatus
>>
>> optionally (assuming that CA won't be turned of)
>> 3. getcert list
>>
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list