I've now set up a test box using exactly the same install command, SSL
certificate etc...
The /etc/ipa/ca.crt contains only 3 certificates but they are not CA
certificates that were included in the PKCS12 file:
[root@dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in
cert${i} -noout
Hi,
We moved our CA-less FreeIPA install into production only few days ago and
today I've noticed some problem with certificates.
This is FreeIPA 4.2 installation on Centos 7.2.
I've installed the first node with the following command:
ipa-server-install \
-U \
-r $REALM \
-n
hiI check my IPA server which is version ipa-server-3.0.0-25 , command
"ipa-get-cert list" show, my certificate will be expired in next 20 days,
I do not know how to regenerate thembut command "getcert list" shows epirtion
certificates are related just to "CA:IPA" and certificate " CA:
I have restarted the pki-cad and checked if communication with the CA is
working, but no luck,
Debug logs in /var/log/pki-ca do not have anything unusual. Can you think
of anything other than this?
[root@caer ~]# ipa cert-show 1
Certificate:
Rob,
My apologies, I only provided a tail of the log, I should have provided more. I
can see now there is much more detail in there.
I followed your lead regarding the HTTP error log from the server and found
this:
[Wed Jul 20 14:33:39.410295 2016] [authz_core:error] [pid 27345] [client
Rubin Binder wrote:
Justin,
Thank you very much for the prompt response. The log output is as follows:
2016-07-20T17:02:52Z DEBUG Starting external process
2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s'
'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
Justin,
Thank you very much for the prompt response. The log output is as follows:
2016-07-20T17:02:52Z DEBUG Starting external process
2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com'
'-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
2016-07-20T17:02:52Z
Linov Suresh wrote:
Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting
*
*
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".*
Could you please
I was trying to replicate our IPA server which is running on CentOS6.4,
FreeIPA 3.0 and I got an error,
*Your system may be partly configured.*
*Run /usr/sbin/ipa-server-install --uninstall to clean up.*
*Configuration of CA failed*
I ran /usr/sbin/ipa-server-install --uninstall couple of times
Could you please share with us the /var/log/ipaclient-install.log ?
Kind regards,
Justin Stephenson
On 07/20/2016 01:23 PM, Rubin Binder wrote:
Hello all,
I am testing Free IPA server for use under a test environment, so far smooth
sailing and have it up and running, no problems.
The
Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
Hello all,
I am testing Free IPA server for use under a test environment, so far smooth
sailing and have it up and running, no problems.
The problem is occurring during client installation. I have installed the
ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install...
On Tue, 19 Jul 2016, Rob Crittenden wrote:
Jeremy Utley wrote:
Hello all!
We're looking at replacing a lot of our currently self-signed internal
SSL certificates in our infrastructure with certificates generated by
the FreeIPA CA. However, I've run into something that I haven't been
able to
On Wed, 20 Jul 2016, Jan Karásek wrote:
Hi,
thank you.
ldapsearch reply:
search: 2
result: 32 No such object
matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt
text: 208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best
match of:
'CN=RpcServices,CN=System,DC=rwe,DC=tt'
Hi,
thank you.
ldapsearch reply:
search: 2
result: 32 No such object
matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt
text: 208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best
match of:
'CN=RpcServices,CN=System,DC=rwe,DC=tt'
actually when I look under the
Hi all,
today I updated all of our IPA servers (CentOS 7.2) with some minor RPM
updates, but one of the replicas failed with:
RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API',
domain='ipa', localedir=None)
Log excerpt (ipaupgrade.log) from this host:
(Also available as
thank you! that was it
From: Simpson Lachlan
To: pgb205 ; Sumit Bose
Cc: Freeipa-users
Sent: Tuesday, July 19, 2016 7:30 PM
Subject: RE: Re: [Freeipa-users] Unable to ssh after establishing
Glad you got the certificates successfully renewed.
Can you open a new e-mail thread on this new problem so we can keep the
issues separated?
IPA gets little information back when dogtag fails to install. You need
to look in /var/log//debug for more information. The exact
location depends
These attributes should be available from port 389 and not the global
catalog, please try a command such as:
ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com"
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber
Hi,
thank you for the hint.
In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:
It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.
If I understand it right, it is base uid number and the number of uids in
range.
If not discovered nor given via CLI, then it
Sure - I've got tomorrow off, so it will be Friday morning.
cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 20 July 2016 at 17:14, Jakub Hrozek wrote:
> On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan
On Wed, Jul 20, 2016 at 09:27:34AM +0530, Visakh MV wrote:
> Hi,
>
>
> first case: As per your direction, things are going well even if we are
> facing some issues as well. even like once logged in to ipa-client machine
> with ipa user with certain privilege after that while using terminal "
On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote:
> On 19 July 2016 at 16:40, Jakub Hrozek wrote:
>
> > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> > > I think the thing that frustrates the most is that id u...@domain.com is
> > >
23 matches
Mail list logo