Re: [Freeipa-users] regenerate certificate

mohammad sereshki wrote: hi would you please explain more ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because

Re: [Freeipa-users] regenerate certificate

and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli

Re: [Freeipa-users] regenerate certificate

and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:  CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1]

Re: [Freeipa-users] regenerate certificate

mohammad sereshki wrote: hi it is result of command, seems issue is another thing ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in

Re: [Freeipa-users] regenerate certificate

hiwould you please explain more? From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:09 PM Subject: Re: [Freeipa-users]

Re: [Freeipa-users] regenerate certificate

hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD AP based, not XML {1}, use default authz mgr: {2}. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore():

Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125

redhat.com>> > <mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> <mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>>> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-

Re: [Freeipa-users] regenerate certificate

hiit is result of command, seems issue is another thing  ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) From: Rob Crittenden To: mohammad sereshki ; Florence

Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125

<mailto:freeipa-users@redhat.com> > <mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? > hi >? >?

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

UPDATE: Tried again the whole procedure with ipa-dns-install, and it DOES work with SElinux disable, and still fails with SElinux enabled. So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/" makes sense. Can someone help me fix it? $ ll -Z /var/lib/ipa/dnssec/ total 12

Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125

save command: >  >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >  >? >? >? ? ? ? ? track: yes >  >? >? >? ? ? ? ? auto-renew: yes >  >? >? > You have new mail in /var/spool/mail/root >  >? >? > >  &g

Re: [Freeipa-users] Odd Password Issue Across the realm

Auerbach, Steven wrote: We have our IPA set up as master-master and we have about 25 clients in realm (including the IPA servers themselves). We have a single user who changed his unexpired password using the passwd command logged on to one of the registered clients. Thereafter, when he logs

[Freeipa-users] Odd Password Issue Across the realm

We have our IPA set up as master-master and we have about 25 clients in realm (including the IPA servers themselves). We have a single user who changed his unexpired password using the passwd command logged on to one of the registered clients. Thereafter, when he logs on to any of the client

[Freeipa-users] FreeIPA and slave MIT slave KDCs

Hi everyone. I'm currently planning on deploying FreeIPA as the Master KDC (among other things to leverage from the API and some other built-in features - like replicas). However I find (correct if I'm wrong) FreeIPA not very modular - therefore I would like to know what's the strategy when

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

I'm not familiar enough with Fedora release engineering to know how this gets fixed permanently, but I'll share some investigation I've done. This appears to be due to a change in the selinux-policy-targeted package that happened recently. As of the latest version, named-pkcs11 tries to run

[Freeipa-users] FreeIPA / Change SSL Certificate for Web Server

I have just installed a newly created FreeIPA server running CentOS 7.2. I have a (wildcard) SSL Certificate that I want to use for the FreeIPA Web Management GUI. I tried to follow the directions listed here at the URL of https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

[Freeipa-users] named-pkcs11 doesn't start after bind update

- FC23 - IPA 4.2.4 After a dnf update, bind was updated (no ipa updates), and named-pkcs11 doesn't start anymore. $ /usr/sbin/named-pkcs11 -d 9 -g 21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 -d 9 -g 21-Jul-2016 23:08:50.332 built with

[Freeipa-users] AD Sync issue

Hello everyone, I have one issue with replication from AD to IPA. Right now on my IPA master I have the current packages : ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.17

Re: [Freeipa-users] regenerate certificate

On 07/20/2016 10:04 PM, mohammad sereshki wrote: hi I check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate them but command "getcert list" shows epirtion certificates are

Re: [Freeipa-users] IPA certificates expired, please help!

On 07/20/2016 09:41 PM, Linov Suresh wrote: > I have restarted the pki-cad and checked if communication with the CA is > working, but no luck, > > Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of > anything other than this? /var/log/httpd/error_log when

Re: [Freeipa-users] AD trust with POSIX attributes

Hello, You should remove the following from sssd.conf: /[domain/example.tt]// //debug_level = 7// //ldap_id_mapping = False// //id_provider = ad/ With the AD trust configuration, you do not need to specify any additional domain because IPA will contact AD across the trust using

[Freeipa-users] [howto] IPA (DNS) Locations

Hello all, I prepared howto for the new feature in IPA 4.4: https://www.freeipa.org/page/Howto/IPA_locations Feel free to report/fix any errors :-) With regards, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] AD trust with POSIX attributes

Thank you. Now I have IDMU installed and when creating trust, IPA is correctly autodetecting the range type: Range name: EXAMPLE.TT_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756

Re: [Freeipa-users] IPA certificates expired, please help!

The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. *I am not sure about that, please see httpd_error when `ipa cert-show 1` was run* [root@caer ~]# *tail -f /var/log/httpd/error_log* [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI

Re: [Freeipa-users] regenerate certificate

mohammad sereshki wrote: dear thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is

Re: [Freeipa-users] IPA certificates expired, please help!

On 07/21/2016 05:14 PM, Linov Suresh wrote: > I set debug=true in /etc/ipa/default.conf > > Here are my logs, The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. Does `ipa cert-show` communicate with the same replica? Could be verified by

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. *I am not sure about that, please see httpd_error when `ipa cert-show 1` was run* The IPA API log isn't going to show much in this case. Requests to the CA are