IPA Server Upgrade Failing with error SSLV3_ALERT_BAD_CERTIFICATE

Solution Verified - Updated -

Issue

  • IPA Server Upgrade Failing with error
# ipa-server-upgrade

2019-12-02T09:12:33Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://ipaserver.example.com:8443/ca/rest/account/login': [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:618)
2019-12-02T09:12:33Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to 'https://ipaserver.example.com:8443/ca/rest/account/login': [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:618)
2019-12-02T09:12:33Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
  • getcert command showing below error.
Request ID '20181216144921':
        status: CA_UNREACHABLE
        ca-error: Error 58 connecting to https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
  • openssl command output showing below error.
# printf "HEAD / HTTP/1.1\n\n" | openssl s_client -CAfile /etc/ipa/ca.crt -cert /var/lib/ipa/ra-agent.pem -key /var/lib/ipa/ra-agent.key -connect `hostname -f`:8443 -showcerts -cipher AES256-SHA
CONNECTED(00000003)
depth=1 O = EXAMPLE.COM, CN = Certificate Authority
verify return:1
depth=0 O = EXAMPLE.COM, CN = ipaserver.example.com
verify return:1
139898213824400:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42
139898213824400:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
  • curl command showing below error.
# curl --tlsv1.2 -v --cacert /etc/ipa/ca.crt --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key https://`hostname -f`:8443/ca/agent/ca/displayBySerial?serialNumber=0x1 |head  -n 5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to ipaserver.example.com port 8443 (#0)
*   Trying 132.10.94.42...
* Connected to ipaserver.example.com (132.10.94.42) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS: client certificate from file
*       subject: CN=IPA RA,O=EXAMPLE.COM
*       start date: Dec 16 14:27:26 2018 GMT
*       expire date: Dec 05 14:27:26 2020 GMT
*       common name: IPA RA
*       issuer: CN=Certificate Authority,O=EXAMPLE.COM
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
* SSL peer cannot verify your certificate.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (58) SSL peer cannot verify your certificate.

Environment

  • Red Hat Enterprise Linux 7
  • IPA 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content