I’ve seen this twice now so I’m documenting the fix so I don’t have to go hunting again.
Basically it starts as a typical “oh crap my certs expired” question on #freeipa or freeipa-users. Sadly the usual things don’t seem to help (go back in time).
The last time this happened there was the added twist that the renewal master was gone so we had to first reconfigure a replica to do the renewal (you do have more than one CA right? RIGHT?)
Anyway, he would persistently get the Peer certificate cannot be authenticated message. We tried:
- Confirming that ipaCert was the correct value in the IPA RA entry in LDAP
- The CA is up and running:
curl --cacert /etc/ipa/ca.crt -v https://`hostname`:8443/ca/ee/ca/getCertChain
- Ensuring that
certutil -L -d /etc/pki/pki-tomcat/alias-n 'caSigningCert cert-pki-ca' -a and cat /etc/ipa/ca.crtare the same cert
Then I remembered a fellow Red Hatter had reported a similar issue and discovered that the fix was to reset the NSS trust flags in the Apache NSS database (which certmonger uses).
# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview
You should get client certificate not found. If you don’t then try this:
# certutil -M -d /etc/httpd/alias -n 'EXAMPLE.COM IPA CA' -t ,, # certutil -M -d /etc/httpd/alias -n 'EXAMPLE.COM IPA CA' -t CT,C,C