from:"Z D via FreeIPA\-users"

[Freeipa-users] Re: Testing requested - certificate checking tool

2018-10-29 Thread Z D via FreeIPA-users

Rob, I'd love to test your tool, as part of working on my problem "ipa.service 
fails to start", but I still run 4.4.0-12.0.1.el7.x86_64, hence do you think 
this is the obstacle? 

Again, as part of "ipa.service fails to start" work, I was hoping to add new 
IPA server 4.5.4, but ipa-replica-prepare (from v4.4.0) fails with:

Creating SSL certificate for the Directory Server
cannot connect to 
'https://ca-ldap02.domain.com:8443/ca/ee/ca/profileSubmitSSLClient': 
(SSL_ERROR_EXPIRED_CERT_ALERT) 
SSL peer rejected your certificate as expired.

One more thing, mine domain level is 0, will it help raising to 1 and is this 
process harmful?
I am desperate to try things that can possibly lead to resolving my expire cert 
problems. 

thanks, Zarko
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

2018-10-29 Thread Z D via FreeIPA-users

Hi Kees, I've been also looking to Rob's blog as part of working on my problem 
("ipa.service "fails" to start"). 
In my case, when running the curl command (with -v), I do see

* About to connect() to ca-ldap03 port 8443 (#0)
*   Trying x.x.x..x ...
* Connected to ca-ldap03 port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)

... but then I see : 

< HTTP/1.1 500 Internal Server Error

.. finally command's exit status is 0, hence I understand no need to modify 
trust flag. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-27 Thread Z D via FreeIPA-users

Hi Flo and Rob, additional update. 
There is discrepancy in some of cert's expire time among 4 servers, I thought 
maybe another server can be candidate to be new renewal master. 
The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well, 
hence "ipa config-show" on all 4 servers reads ca-ldap02 is IPA CA renewal 
master. 

But it's still mixer of expired and valid certs, auditSigningCert, 
caSigningCert and ipaCert are expired. So on ca-ldap02 I repeated familiar 
process of "kill ntpd, going back a few days, restart krb5kdc, dirsrv, httpd, 
CA , then certmonger" and having error from previous update : 

"Directory Server on ca-ldap02: Insufficient access: Invalid credentials"

Have a good weekend, hope to continue troubleshoot next week. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-27 Thread Z D via FreeIPA-users

Agree Flo, making sure that I am in the past, unfortunately still not 
resolution. 

[root@ca-ldap01 ~]# systemctl restart krb5kdc
[root@ca-ldap01 ~]# systemctl restart dirsrv@DOMAIN-COM.service
[root@ca-ldap01 ~]# systemctl restart httpd
[root@ca-ldap01 ~]# systemctl restart pki-tomcatd@pki-tomcat.service

Kerberos now understand we are in the past! 

[root@ca-ldap01 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@domain.com
Valid starting   Expires  Service principal
08/13/2018 11:21:32  08/14/2018 11:21:28  krbtgt/domain@domain.com

[root@ca-ldap01 ~]# date
Mon Aug 13 11:22:20 PDT 2018

And these are renew.log errors when certmonger is restarted, or getcert 
resubmit, basically insufficient access to directory server !?

2018-08-13T18:46:49Z13747   MainThread  ipa DEBUG   Initializing 
principal host/ca-ldap01.domain@domain.com using keytab /etc/krb5.keytab
2018-08-13T18:46:49Z13747   MainThread  ipa DEBUG   using ccache 
/var/run/certmonger/tmp-NGZEev/ccache
2018-08-13T18:46:49Z13747   MainThread  ipa DEBUG   Attempt 1/1: 
success
2018-08-13T18:46:49Z13747   MainThread  ipa DEBUG   Loading 
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-13T18:46:49Z13747   MainThread  ipa DEBUG   Could not 
connect to the Directory Server on ca-ldap01.domain.com: Insufficient access:  
Invalid credentials

Syslog message also reads "Insufficient access:  Invalid credentials"

Aug 13 12:20:39 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most 
recent call last):#012  File 
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in 
#012sys.exit(main())#012  File 
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in 
main#012if ca.is_renewal_master():#012  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, 
in is_renewal_master#012self.ldap_connect()#012  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in 
ldap_connect#012conn.do_bind(self.dm_password, autobind=self.autobind)#012  
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in 
do_bind#012self.do_sasl_gssapi_bind(timeout=timeout)#012  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in 
do_sasl_gssapi_bind#012self.__bind_with_wait(self.gssapi_bind, timeout)#012 
 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", lin
 e 1650, in __bind_with_wait#012bind_func(*args, **kwargs)#012  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in 
gssapi_bind#012'', auth_tokens, server_controls, client_controls)#012  File 
"/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012
self.gen.throw(type, value, traceback)#012  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in 
error_handler#012raise errors.ACIError(info="%s %s" % (info, 
desc))#012ACIError: Insufficient access:  Invalid credentials
Aug 13 12:20:39 ca-ldap01 certmonger: 2018-08-13 12:20:39 [16173] Internal error

I've been worrying now, it's being a week and this is prod environment. I've 
tried to add 5th server, but replica to it fails. Any hope for resolution?   
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-25 Thread Z D via FreeIPA-users

Hi Rob, I follow one of your suggestions in another post, it's : 
"certmonger _should_ have renewed them. Try killing ntpd, going back a few 
days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what 
happens"

I did it, no success with messages:

- MainThread  ipa DEBUG   Could not connect to the Directory Server on 
ca-ldap01.domain.com: Insufficient access:  Invalid credentials
- ca-dap01 certmonger: 2018-08-07 10:40:39 [4831] Internal error
- ca-ldap01 [sssd[ldap_child[5045]]]: Failed to initialize credentials using 
keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 
'DOMAIN.COM'. Unable to create GSSAPI-encrypted LDAP connection.
- ca-ldap01 [sssd[ldap_child[5045]]]: Cannot contact any KDC for realm 
'DOMAIN.COM'

And I notice that Kerberos somehow still shows current date, instead of 
2018-08-07 (my back in time).   

[root@ca-ldap01 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@domain.com
Valid starting   Expires  Service principal
10/25/2018 20:55:02  10/26/2018 20:54:58  krbtgt/domain@domain.com

Is this reason for failure? 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-25 Thread Z D via FreeIPA-users

Hi Rob, thanks much.

Some of Flo's blogs about CA helps me to understand better now. Sure "ipa 
cacert-manage renew" and "ipa-certupdate" was run before, hopefully not 
harmful, "caSigningCert cert-pki-ca" was valid for 18 more years. 

You're right, there is mix of old and renewed ones, three requres renewal:
auditSigningCert, subsystemCert and ipaCert , all expired on 2018-08-14. 
Time I went back was 7 days earlier, 2018-08-07

Sorry, nothing to revert, please let me know what would you suggest now. The 
state of certs is:

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2018-08-14 20:49:38 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2020-10-11 20:15:53 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2018-08-14 20:49:36 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2038-10-22 18:15:48 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2018-08-14 20:50:00 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=ca-ldap01.DOMAIN.com,O=DOMAIN.COM
expires: 2020-07-07 01:47:45 UTC
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-25 Thread Z D via FreeIPA-users

No, CA component is not running, and seems not much activity under  
/var/log/pki/pki-tomcat. Maybe these can be of interest: 

[1] selftests.log
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] 
SystemCertsVerification: system certs verification failure: Certificate 
ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's 
Certificate has expired.
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] 
SelfTestSubsystem: The CRITICAL self test plugin called 
selftests.container.instance.SystemCertsVerification running at startup FAILED!

[2] catalina.log

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did 
not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a 
matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not 
find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlValidation' to 'false' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlNamespaceAware' to 'false' did not find a matching property

Flo, if I can suspect on this  I recall before incident this one expires on 
2036, now it's 2038


status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
expires: 2038-10-22 18:15:48 UTC
track: yes
auto-renew: yes

And URI was hostname, not ipa-ca. 

# certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | 
grep URI
URI: "http://ipa-ca.domain.com/ca/ocsp;

Is there way to "manually" revert change or renew a cert? 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-25 Thread Z D via FreeIPA-users

Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and 
/var/log/pki/pki-tomcat/ca/debug reads: 
 

[08/Aug/2018:10:12:02][localhost-startStop-1]: =  DEBUG SUBSYSTEM 
INITIALIZED   ===
java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid: 
Invalid certificate: (-8181) Peer's Certificate has expired.
at 
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844)
at 
com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936)
at 
com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053)
at 
com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803)
at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402)
at 
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:858)
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1808)
at 
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1914)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1355)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: Invalid certificate: 
(-8181) Peer's Certificate has expired.
at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native 
Method)
at 
org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554)
at 
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842)
... 44 more
Invalid class name repositorytop
at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485)
at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167)
at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137)
at 
com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125)
at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244)

[Freeipa-users] ipa.service "fails" to start

2018-10-18 Thread Z D via FreeIPA-users

Hi there,

This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.

After reboot I couldn't start ipa service via systemctl, hence I run "ipactl 
start --ignore-service-failures" and this was kind of successful. I still have 
some discrepancies, and looking for troubleshooting ideas.

  1."systemctl status ipa.service" reads that service failed
  2.  "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server is 
running.
  3.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED < !!
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Well, why pki-tomcatd reads 'stopped' and how to make systemctl to recognize 
that ipa service is running, thanks in advance,

Zarko
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME

2017-08-31 Thread Z D via FreeIPA-users

This is resolved by updating sudo package.


---> Package sudo.x86_64 0:1.8.6p7-11.el7 will be updated
---> Package sudo.x86_64 0:1.8.19p2-10.el7 will be an update



From: Pavel Březina 
Sent: Thursday, August 31, 2017 1:48:33 AM
To: Jakub Hrozek; Z D
Cc: FreeIPA users list
Subject: Re: [Freeipa-users] Re: sudo policy doesn't work since host is 
installed with CNAME

On 08/31/2017 08:35 AM, Jakub Hrozek wrote:
> On Wed, Aug 30, 2017 at 08:51:24PM +, Z D wrote:
>>> Does ipa_hostname in sssd.conf point to cname (or, the hostname registered 
>>> with IPA) ?
>>
>>
>> It points to the DNS A record, the one that is registered with IPA.
>
> Pavel, is a setup with a machne where the hostname in IPA doesn't match
> the machine hostname known to work?

sudo should read ipa_hostname from /etc/sssd/sssd.conf so if this option
is present, it should work. If it does not, we need sudo debug logs.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Testing requested - certificate checking tool

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] ipa.service "fails" to start

[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME

10 matches

Site Navigation

Mail list logo

Footer information