Interesting Issue -- IPA HTTP calls all fail with certificate verify failed: unable to get local issuer certificate
So, my IPA server rebooted last night (from dnf automatic updates -- Fedora Server 31)
When it came back, IPA basically is unusable, since pretty much every action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
I think this is because the contents of /etc/httpd/alias/ are probably corrupted somehow (the only file there is ipasession.key)
certutil -L -d /etc/httpd/alias/ results in: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Any help would be useful! Thank you :)
None via FreeIPA-users wrote:
So, my IPA server rebooted last night (from dnf automatic updates -- Fedora Server 31)
When it came back, IPA basically is unusable, since pretty much every action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
I think this is because the contents of /etc/httpd/alias/ are probably corrupted somehow (the only file there is ipasession.key)
certutil -L -d /etc/httpd/alias/ results in: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Any help would be useful! Thank you :)
IPA doesn't use mod_nss in Fedora any more so it's expected that there is no cert database.
Run ipactl start to see what is going on.
rob
Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting pki-tomcatd Service Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
IPA thinks its working, and all of the ancillary services (named, krb5kdc, ldap are all working). the IPA UI doesn't work (you can access the login screen, but it fails trying to login with the above error), etc..
On Tue, Mar 3, 2020 at 11:38 AM Rob Crittenden rcritten@redhat.com wrote:
None via FreeIPA-users wrote:
So, my IPA server rebooted last night (from dnf automatic updates --
Fedora Server 31)
When it came back, IPA basically is unusable, since pretty much every
action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
I think this is because the contents of /etc/httpd/alias/ are probably
corrupted somehow (the only file there is ipasession.key)
certutil -L -d /etc/httpd/alias/ results in: certutil: function failed:
SEC_ERROR_BAD_DATABASE: security library: bad database.
Any help would be useful! Thank you :)
IPA doesn't use mod_nss in Fedora any more so it's expected that there is no cert database.
Run ipactl start to see what is going on.
rob
Figured it out. It's half unsupported use-case and half bug in freeipa's httpd configuration:
If the httpd instance used by freeipa also hosts other vhosts on the same IP (and those vhosts have SSL certs), then freeipa can't resolve itself. It works fine on different IP addresses though. The fix would be to add a VirtualHost just for freeipa that configures the SSL certs used by freeipa, versus just modifying the default SSL configuration
On Tue, Mar 3, 2020 at 11:44 AM Justin Haygood jhaygood86@gmail.com wrote:
Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting pki-tomcatd Service Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
IPA thinks its working, and all of the ancillary services (named, krb5kdc, ldap are all working). the IPA UI doesn't work (you can access the login screen, but it fails trying to login with the above error), etc..
On Tue, Mar 3, 2020 at 11:38 AM Rob Crittenden rcritten@redhat.com wrote:
None via FreeIPA-users wrote:
So, my IPA server rebooted last night (from dnf automatic updates --
Fedora Server 31)
When it came back, IPA basically is unusable, since pretty much every
action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
I think this is because the contents of /etc/httpd/alias/ are probably
corrupted somehow (the only file there is ipasession.key)
certutil -L -d /etc/httpd/alias/ results in: certutil: function failed:
SEC_ERROR_BAD_DATABASE: security library: bad database.
Any help would be useful! Thank you :)
IPA doesn't use mod_nss in Fedora any more so it's expected that there is no cert database.
Run ipactl start to see what is going on.
rob
On ti, 03 maalis 2020, Justin Haygood via FreeIPA-users wrote:
Figured it out. It's half unsupported use-case and half bug in freeipa's httpd configuration:
If the httpd instance used by freeipa also hosts other vhosts on the same IP (and those vhosts have SSL certs), then freeipa can't resolve itself. It works fine on different IP addresses though. The fix would be to add a VirtualHost just for freeipa that configures the SSL certs used by freeipa, versus just modifying the default SSL configuration
Correct. We do not support this but I run in a similar configuration myself and effectively have to maintain two mod_ssl configurations. I ended up using the same cert in both, with a domain wildcard just for this purpose. But it is pretty much a manual configuration.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
jhaygood86@gmail.com -
Justin Haygood
-
Rob Crittenden