> Having said that, I'm not even sure if one can request a specific preauth
> method today
> in SSSD.
And by that I mean as a hint before the actual AS_REQ. IIUC this isn't
straightforward to do currently because:
- The PAM conversation happens after the AS_REP and depends on the supported
I tracked down the source of the myserious "Internal server error
'Link'" message when running this health check. It's caused by having a
mixture of both RHEL 8 and RHEL 9 servers.
The error message in context:
# ipa-healthcheck
--source=pki.server.healthcheck.clones.connectivity_and_data
and this is from the ca/debug file:
2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect
to LDAP server: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8181) Peer's Certificate has
also, here is more in the journal:
-- Logs begin at Mon 2024-03-11 19:39:50 UTC, end at Tue 2024-03-12 02:11:21
UTC. --
Mar 11 19:40:19 ldap01.app.uaap.maxar.com systemd[1]: Starting PKI Tomcat
Server pki-tomcat...
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: Java virtual machine
[root @ ldap01] /home/rocky
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
1 service(s) are not running
starting ipa is failing for the
All three of my IPA servers have this health check failing:
[root@ipa3 ~]# ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data --check
ClonesConnectivyAndDataCheck --output-type=human
Internal server error 'Link'
ERROR:
Omar Pagan via FreeIPA-users wrote:
> Hello,
>
> I came back from vacation and noticed that the pki-tomcatd was not running.
> All other services are running fine, I can kinit admin and search for users,
> I can also log into the UI and see everything. When I try to start the
> service I see
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running.
All other services are running fine, I can kinit admin and search for users, I
can also log into the UI and see everything. When I try to start the service I
see the following errors:
Mar 11 20:44:44
Awesome, pkinit is exactly what we need, thank you.
Is the `--principal` option for ipa cert-request needed with a
matching rule? e.g. if we have
ipa certmaprule-add pkinit-host --matchrule ''
--maprule='(fqdn={subject_dns_name})'
Do I also need to
ipa cert-request example.csr
> On Суб, 09 сак 2024, Jonathan Calmels via FreeIPA-users wrote:
>
> If you are using RHEL subscription, it might make sense to open a
> customer case and provide more details there, along with a request for
> enhancement and point to this thread so that we can connect the dots and
> get this
Am Sun, Mar 10, 2024 at 04:46:45PM +0200 schrieb Alexander Bokovoy via
FreeIPA-users:
> On Суб, 09 сак 2024, Jonathan Calmels via FreeIPA-users wrote:
> > Thanks for the detailed answer, glad we didn't miss anything obvious.
> > I just want to add a bit more clarification on what we were
11 matches
Mail list logo