Unable to log in to FreeIPA web ui - “Login failed due to an unknown reason.”

Question

I have few months old freeipa installation. However, lately when I came back to continue my administration with IPA server I cannot login to it.

DNS is working in my private network without problem even I cannot login to IPA system. I'm using letsencrypt certs in the httpd setup.

$ ipa-pkinit-manage status

PKINIT is enabled
The ipa-pkinit-manage command was successful

$ klist

Ticket cache: KCM:0
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
31.08.2020 16.12.30  01.09.2020 16.12.25  krbtgt/EXAMPLE.COM@EXAMPLE.COM

$ ipa -v ping

ipa: ERROR: cannot connect to 'https://serenity.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

cat /var/log/httpd/error_log

[Mon Aug 31 16:31:30.125325 2020] [wsgi:error] [pid 9761:tid 139962713196288] [remote 10.0.12.31:58490] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='serenity.example.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

Web ui login :

Login failed due to an unknown reason

Note: I've changed my domain realm to example.com

What is causing this problem and how to fix it ?

Most likely but how I can check it ? At least lestencrypt certificates are valid. — matsukan, Aug 31 '20 at 13:57
`echo '' | openssl s_client -connect serenity.example.com:636 | openssl x509 -noout -text` but also the first openssl command here might dump more than one cert (the cert chain), so check its output and maybe split it into multiple files for inspection. — bgStack15, Sep 01 '20 at 15:26

jollygreen_sasquatch · Answer 1 · 2020-09-03T00:32:54.057

Look at the contents of:

/etc/ipa/ca.crt
/var/lib/ipa-client/pki/ca-bundle.pem
/var/lib/ipa-client/pki/kdc-ca-bundle.pem

There should be multiple certs in each if you are using letsencrypt for https and a self-signed CA. clients registered before I added the letsencrypt root CAs were missing the extra certs from these 3 files.

I referenced https://github.com/freeipa/freeipa-letsencrypt for switching to letsencrypt, which has ipa-cacert-manage (to add the root CAs to freeipa's trust) and ipa-certupdate (to pull all certs in the freeipa trust down to the client) what I realized later is I should have run the ipa-certupdate on every client before flipping https to use letsencrypt.

thanks, problem resolved commenting use of away Letencrypt certs from the ssl.conf. I have to come back to this issue later on. — matsukan, Sep 04 '20 at 17:43

Unable to log in to FreeIPA web ui - “Login failed due to an unknown reason.”

1 Answers1

Linked