For a time, we couldn’t login to the FreeIPA web interface at https://ipa.freeside.co.uk/. It kept saying “failed due to unknown error”. Trying to use the ipa command in fs-ipa gives a more informative error however (I tried ipa help topics):
ipa: ERROR: cannot connect to 'https://ipa.freeside.co.uk/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)
This error occurred because the self-signed certificate for the web interface had expired, since the FreeIPA web interface is not proxied through the main nginx instance on fs-web02 (and thus you need the VPN to access it).
To fix it, run the following command:
ipa-cert-fix
…and then follow the instructions. Then restart your browser and wait a few minutes.
Now it should be working again as intended.