I just updated the certificates on our OnDemand server and now Dex is producing an “internal server error” message. Usually when we get the “internal server error” page, I just restart the ondemand-dex service and the error goes away. However, no matter what I do, the “internal server error” page will not go away. I’ve checked the permissions and ownership on the certificate and key files and they are correct. The only error I can find is in the httpd logs. The error is below:
We are running OnDemand version 3.1.16 on RHEL 9.4. No configs have been changed. The only change that was made was replacing the old expired certificate and key file with a new certificate and key file. Any assistance would be greatly appreciated.
My only guess is the CA that signed your new certificate is not trusted by the system’s CA bundle. We run into this sometimes with LetsEncrypt when a new Intermediate or root CA is used. Also verify the ca-bundle exists at the path in the error per Jeff’s question.
Are you sure that’s the correct intermediate and root CA?
openssl verify -CAfile /etc/pki/tls/certs/Intermediate_ca_root_256_R3.crt <file used for SSLCertificateFile>
Not certain this will work depending how the intermediate and CA are chained together. If you google ways to validate the certificate against the CA + intermediates, lots of ways to verify you have the correct files.
I get “unable to get local issuer certificate” for both the intermediate and root certificate when I run the command you provided. I will search around to try and verify that I have the correct files.
This issue has been resolved. As it turns out, we switched to a new certificate provider (Sectigo), and that provider is not trusted by Red Hat by default. Once we added their intermediate and root certificates to the CA trust and restarted the services, everything started working. Thanks @tdockendorf and @jeff.ohrstrom for your help on this!