SSL: CERTIFICATE_VERIFY_FAILED After Applied Letsencrypt

[Naolador]

I'm using RHEL8 idm repository for the installation and the server is working fine before I applied the Letsencrypt certs.

After the certs has been installed, I can't login anymore, here's the httpd log:

[Thu Jan 28 11:59:06.414247 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jan 28 11:59:06.414427 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: WSGI login_password.__call__:
[Thu Jan 28 11:59:06.415594 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Obtaining armor in ccache /run/ipa/ccaches/armor_7726
[Thu Jan 28 11:59:06.415751 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Initializing anonymous ccache
[Thu Jan 28 11:59:06.416026 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting external process
[Thu Jan 28 11:59:06.416249 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: args=['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_7726', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem']
[Thu Jan 28 11:59:07.737575 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Process finished, return code=0
[Thu Jan 28 11:59:07.737854 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stdout=
[Thu Jan 28 11:59:07.737954 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stderr=
[Thu Jan 28 11:59:07.738276 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Initializing principal admin using password
[Thu Jan 28 11:59:07.738384 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Using armor ccache /run/ipa/ccaches/armor_7726 for FAST webauth
[Thu Jan 28 11:59:07.738470 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Using enterprise principal
[Thu Jan 28 11:59:07.738605 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting external process
[Thu Jan 28 11:59:07.738692 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: args=['/usr/bin/kinit', 'admin', '-c', '/run/ipa/ccaches/kinit_7726', '-T', '/run/ipa/ccaches/armor_7726', '-E']
[Thu Jan 28 11:59:07.810076 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Process finished, return code=0
[Thu Jan 28 11:59:07.810333 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stdout=Password for admin@EXAMPLE.COM:
[Thu Jan 28 11:59:07.810354 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665]
[Thu Jan 28 11:59:07.810477 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stderr=
[Thu Jan 28 11:59:07.810692 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Cleanup the armor ccache
[Thu Jan 28 11:59:07.810852 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting external process
[Thu Jan 28 11:59:07.810949 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: args=['/usr/bin/kdestroy', '-A', '-c', '/run/ipa/ccaches/armor_7726']
[Thu Jan 28 11:59:07.820520 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Process finished, return code=0
[Thu Jan 28 11:59:07.820761 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stdout=
[Thu Jan 28 11:59:07.820853 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stderr=
[Thu Jan 28 11:59:07.845840 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting new HTTP connection (1): idm.example.com:80
[Thu Jan 28 11:59:07.853263 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: http://idm.example.com:80 "GET /ipa/session/cookie HTTP/1.1" 301 247
[Thu Jan 28 11:59:07.857038 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting new HTTPS connection (1): idm.example.com:443
[Thu Jan 28 11:59:07.872285 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='idm.example.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

Any ideas for the fix?

[Setplus01]

I have the same situation. And it's happened after running script renew-le.sh. I run command: ipa-server-certinstall -w -d /var/lib/ipa/private/httpd.key /var/lib/ipa/certs/httpd.crt

but unfortunately i don't know my private key unlock password. May be if you know, you can run this command to set credentials manually.

[Naolador]

@Setplus01 The private password is stored in /var/lib/ipa/passwds/domain.com-443-RSA For me, the command was failed, I tried to replace cert with a fullchain cert, but still not working:

[root@idm ~]# ln -s /etc/letsencrypt/live/idm.example.com/fullchain.pem /var/lib/ipa/certs/httpd.crt
[root@idm ~]# ipa-server-certinstall -w -d /var/lib/ipa/private/httpd.key /var/lib/ipa/certs/httpd.crt
Directory Manager password:

Enter private key unlock password:

The full certificate chain is not present in /var/lib/ipa/private/httpd.key, /var/lib/ipa/certs/httpd.crt
The ipa-server-certinstall command failed.

[R0flcopt3r]

I have the same error as @Naolador

[rcritten]

Try with https://github.com/freeipa/freeipa-letsencrypt/pull/34

[rcritten]

We seem to have lost traction with this issue, closing.