Internal server error HTTPSConnectionPool(host='server2.idm.com', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f24

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • IPA Server

Issue

The following error happens when try to install a new IPA replica:

     2025-05-05T20:42:38Z ERROR Reverse DNS resolution of address 172.13.x.x (sever2.idm.domain.local) failed. Clients may not function 
     properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
     ....
     Get credentials to log in to remote master
     ERROR: Cannot acquire Kerberos ticket: kinit: Password incorrect while getting initial credentials
     ...
     2025-05-05T20:42:52Z DEBUG The ipa-replica-install command failed, exception: ScriptError: Connection check failed!

Running ipa-healthcheck from a working replica shows:

Internal server error HTTPSConnectionPool(host='server2.idm.domain.com', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by 
   NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f24393c0710>: Failed to establish a new connection: [Errno 111] Connection refused',))

Resolution

Remove the old CA subsystem from an old server that no longer exists in the topology.
NOTE!The commands below must be run from a working IPA server/replica.

  1. Make a backup ldif.
# ldapsearch -o ldif-wrap=no -xLLLD cn="directory manager" -W -b "cn=CAList,ou=Security Domain,o=ipaca" > securitydomain.ldif
  1. Craft a ldif to do the remove.
# vi /tmp/removeSDmember.ldif 
cn=server2.idm.domain.com:443,cn=CAList,ou=Security Domain,o=ipaca
  1. Stop the pki-tomcat service.
# systemctl stop pki-tomcatd@pki-tomcat.service
  1. Run the ldapdelete as seen below. The command below assumes the ldif file is in /tmp.
# ldapdelete -D "cn=directory manager" -W -c -r -f /tmp/removeSDmember.ldif

Need to enter the Directory Manager password.

  1. Start the service back.
# systemctl start pki-tomcatd@pki-tomcat.service
  1. Check if the old security domain was removed:
# pki securitydomain-show

# ipa-healthcheck --failures-only --output-type human

Root Cause

A replica was improperly removed, and the old CA subsystem related to this replica still exists in the environment.

Diagnostic Steps

  1. The ipa-healthcheck from a working IPA server:
# ipa-healthcheck --failures-only --output-type human
Internal server error HTTPSConnectionPool(host='server2.idm.com', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by 
   NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f24393c0710>: Failed to establish a new connection: [Errno 111] Connection refused',))
  1. Check the valid IPA servers currently available in the environment:
# ipa config-show | grep -i "IPA masters"
# ipa topologysegment-find domain

  1. Check the topology graph on WebUI: Select IPA Server > Topology > Topology Graph

  2. Check the security domain outputs.

# pki securitydomain-show
  CA Subsystem:

    Host ID: CA server1.idm.domain.com 443
    Hostname: server1.idm.domain.com
    Port: 80
    Secure Port: 443
    Domain Manager: TRUE

    Host ID: CA server2.idm.domain.com 443   <----
    Hostname: server2.idm.domain.com
    Port: 80
    Secure Port: 443
    Domain Manager: TRUE

Also, check with ldapsearch:

# ldapsearch -o ldif-wrap=no -xLLLD cn="directory manager" -W -b "cn=CAList,ou=Security Domain,o=ipaca"
...snip...
dn: cn=server2.idm.domain.com.linux.grupobna.local:443,cn=CAList,ou=Security Domain,o=ipaca
objectClass: top
objectClass: pkiSubsystem
cn: server1.idm.domain.com:443
host: server1.idm.domain.com
SecurePort: 443
SecureAgentPort: 443
SecureAdminPort: 443
UnSecurePort: 80
SecureEEClientAuthPort: 443
DomainManager: TRUE
Clone: TRUE
SubsystemName: CA server1.idm.domain.com 8443

dn: cn=server2.idm.domain.com:443,cn=CAList,ou=Security Domain,o=ipaca  <----- old entry
objectClass: top
objectClass: pkiSubsystem
cn: server2.idm.domain.com:443
host: server2.idm.domain.com
SecurePort: 443
SecureAgentPort: 443
SecureAdminPort: 443
UnSecurePort: 80
SecureEEClientAuthPort: 443
DomainManager: TRUE
Clone: TRUE
SubsystemName: CA server2.idm.domain.com 8443
  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments