freeipa-letsencrypt icon indicating copy to clipboard operation
freeipa-letsencrypt copied to clipboard
verified publisher icon freeipa

SSL certificate problem: unable to get local issuer certificate

Open SiddheshxC13 opened this issue 1 year ago • 8 comments

I am able to access through my browser the self hosted freeipa but not able to curl it siddhesh@test1:~$ curl https://authipa.in.micalys.ai/ipa/ui/ curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

SiddheshxC13 avatar Dec 27 '24 11:12 SiddheshxC13

Is test1 an enrolled client of your IPA server? If not then that's why.

If it is then you can get information on what the chain is with curl -w "%{certs}" -v https://...

rcritten avatar Jan 02 '25 14:01 rcritten

I get this issue when curling from the freeIPA server itself.

joshuacox avatar Feb 23 '25 21:02 joshuacox

Same questions.

rcritten avatar Feb 24 '25 13:02 rcritten

The question is the IPA server an enrolled client of the IPA server? I think so, if not how do I enroll the server to itself? Does that change the TLS/SSL certificate?

joshuacox avatar Feb 24 '25 22:02 joshuacox

Did you run ipa-certupdate on the server?

rcritten avatar Feb 24 '25 23:02 rcritten

yep the cert is failing with all the ipa tools:

sudo ipa-certupdate
cannot connect to 'https://auth.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)
The ipa-certupdate command failed.

joshuacox avatar Feb 24 '25 23:02 joshuacox

Which means ipa-certupdate wasn't run after using ipa-cacert-manage to add the certificate chain to IPA and before installing the LE certs. I don't know how this can happen if the setup-le.sh script is used.

You can try making the chain available locally by copying the roots to /etc/pki/ca-trust/source/anchors/ and running update-ca-trust.

Try curl again. It should work if you loaded the right roots.

Then run ipa-cacert-manage list to see if the roots were loaded into IPA. If so run ipa-certupdate and re-verify that things are trusted. If not then do so. Or re-run setup-le.sh, perhaps commenting out the last line to retrieve certificates.

rcritten avatar Feb 25 '25 02:02 rcritten

Indeed, it was the setup-le.sh that I ran in the first place to install this, and after re-running the setup-le.sh (minus the last retrieval line, it ends like this:

Installing CA certificate, please wait
Verified CN=R11,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
cannot connect to 'https://auth.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)
The ipa-certupdate command failed.

so the ipa-cacert-manage command was successful but ipa-certupdate immediately fails.

joshuacox avatar Feb 25 '25 18:02 joshuacox