[Freeipa-users] Re: unable to convert attribute 'cacertificate:binary'

On Tue, Apr 30, 2024 at 02:13:56PM -0400, Rob Crittenden via FreeIPA-users wrote: > I used the cert you provided us out-of-band and was able to load it in > Fedora rawhide with cryptography-42.0.5, same (I think) as tumbleweed > unless tumbleweed includes some additional change. > > Let's try

[Freeipa-users] Re: When a cert-profile doesn't exist and can't see it but IPA thinks it does - how to correct?

dn: cn=acmeIPAServerCert,cn=certprofiles,cn=ca,dc=ipa,dc=test objectClass: ipacertprofile objectClass: top cn: acmeIPAServerCert description: ACME IPA service certificate profile ipaCertProfileStoreIssued: FALSE On Fri, May 12, 2023 at 03:46:46PM -, Nicholas Cross via FreeIPA-users wrote: >

[Freeipa-users] Re: ACME client certificate request from FreeIPA with DNS-01 challenge

On Wed, May 03, 2023 at 10:17:03PM -, Djerk Geurts via FreeIPA-users wrote: > > Not all IPA users can create DNS records. One needs to be able to create > > the TXT entry for the challenge to succeed. > > I think this is the crux of it. How does an anonymous ACME client > authorise anything? >

[Freeipa-users] Re: ACME client certificate request from FreeIPA with DNS-01 challenge

On Wed, May 03, 2023 at 05:08:20PM -0400, Rob Crittenden via FreeIPA-users wrote: > Djerk Geurts via FreeIPA-users wrote: > > Aware that ACME support is still relatively new. I'm looking at how the > > challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA > > manages the DNS

[Freeipa-users] Re: SubCA for firewall appliance (CertProcessor: no profile policy set found)

On Tue, May 02, 2023 at 12:40:55AM -, Djerk Geurts via FreeIPA-users wrote: > Trying to follow and adapt > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > for issuing a Subordinate CA for a firewall appliance. For user VPN certs > and testing SSL

[Freeipa-users] Re: FreeIPA-Kubernetes Setup

On Fri, Mar 17, 2023 at 11:37:54AM +0100, Ronald Wimmer via FreeIPA-users wrote: > On 14.05.21 11:26, Ronald Wimmer via FreeIPA-users wrote: > > Hi, > > > > are there any plans (or maybe ongoing work already) to let FreeIPA run > > in a K8s environment? > > What about tearing all the tightly

[Freeipa-users] Re: FreeIPA-Kubernetes Setup

On Fri, Mar 17, 2023 at 04:32:44PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On pe, 17 maalis 2023, Rob Crittenden via FreeIPA-users wrote: > > Ronald Wimmer via FreeIPA-users wrote: > > > On 14.05.21 11:26, Ronald Wimmer via FreeIPA-users wrote: > > > > Hi, > > > > > > > > are there

[Freeipa-users] Re: Converting self-signed root CA to intermediate CA

On Mon, Jan 30, 2023 at 11:27:47AM +, Schrock, Chad - 0336 - MITLL via FreeIPA-users wrote: > > > Hi everyone, > > > > We have a small-ish RHEL 7 IdM (4.6.8) domain that is currently running with > a self-signed root CA. All is well and good, except we've been told that we > have to

[Freeipa-users] Re: Grant sudo to users only on their own workstations

On Mon, Dec 19, 2022 at 03:32:33PM -0500, Ranbir via FreeIPA-users wrote: > We have many users that run GNU/Linux workstations. At the moment > everyone is using local accounts. We want to convert them to IPA > clients and still allow them sudo privileges on their own workstations. > > It's easy

[Freeipa-users] Re: ipa-server-certinstall -k

On Mon, Jun 20, 2022 at 07:49:16PM +, Charles Hedrick wrote: > Keeping our own certificates up to date on the various types of > clients is messy enough that we gave up on that. > > The only thing we would actually use it for is kinit -n, to > bootstrap kinit for OTP. While kinit -n would be

[Freeipa-users] Re: ipa-server-certinstall -k

On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users wrote: > Charles Hedrick via FreeIPA-users wrote: > > the error is > > > > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC > > A PKINIT certificate needs an EKU extension, >

[Freeipa-users] Re: Force early renewal of server certificate

Hi Ian, The Firefox change ceases CN matching for additional, explicitly trusted CAs. For "bundled" CAs it stopped using CN years ago (along with Chrome and other browsers). For renewal instructions, refer to Rob's mail of Mon, 6 Jun 2022 11:23:04 -0400 to this list, subject: PSA: Change

[Freeipa-users] Re: Wildcard certificate

On Tue, Jun 07, 2022 at 11:56:10AM -0400, Bret Wortman via FreeIPA-users wrote: > I did set up a profile using Fraser's directions, and I see something in > there about: > > policyset.serverCertSet.12.constraint.class_id=noConstraintImpl > policyset.serverCertSet.12.constraint.name=No Constraint

[Freeipa-users] Re: certs: SAN without othername / NT Principal name

On Thu, Mar 31, 2022 at 09:14:39PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote: > > Hi FreeiPA users, > > > > I'm having great fun with a web app that hates the othername/ NT Principal > > name included with certificates

[Freeipa-users] Re: Active Directory Certificate Services as a Subordinate CA under IPA

On Fri, Mar 11, 2022 at 09:59:48PM -0800, Tyrell Jentink via FreeIPA-users wrote: > I am primarily a Linux admin, and this might be a Windows problem... In > fact, this might not even be the right forum for me to be asking this > question, but I don't know which Windows forum would give me the

[Freeipa-users] Re: IPA managed sub CA with no subject name constraint

On Fri, Jan 21, 2022 at 04:50:36AM +0300, Omar Aloraini via FreeIPA-users wrote: > I'm trying to create a sub CA that is managed by IPA and be able to sign > certificates with arbitrary subjects. > > You can create a profile for a sub CA and sign the sub CA certificate. I > have followed this

[Freeipa-users] Re: keycloak - the other way around?

On Mon, Nov 08, 2021 at 09:45:39PM +, lejeczek via FreeIPA-users wrote: > Hi guys. > > I've only stumbled upon whole Keycloak thing thus go easy on me please. I > wonder if Keycload can be a "provider" to freeIPA in some way? > One such a scenario where I think Keycloak might be a golden egg

[Freeipa-users] Re: Adding SAML2 & OIDC

On Sat, Sep 25, 2021 at 08:28:29AM -0400, Ciro Iriarte via FreeIPA-users wrote: > Hello!, > > I'm looking for feedback regarding which SAML2/OIDC platform would be best > match for FreeIPA. > > Regards, > CI.- > Keycloak is my recommendation. We have more experience with Keycloak integration

[Freeipa-users] Re: A couple of CRL questions

Hello, On Mon, Aug 16, 2021 at 11:54:57AM -0400, Rob Crittenden via FreeIPA-users wrote: > IPA Listmail wrote: > > On Mon, Aug 16, 2021 at 11:33 AM Rob Crittenden > > wrote: > > > > I don't know why resetting the crl number would affect the set of > >

[Freeipa-users] Re: Accepting CSR with multiple, wrong Subject Alternate Names

On Wed, Aug 04, 2021 at 07:41:11AM -, Nerd Invert via FreeIPA-users wrote: > I have a piece of equipment with a web interface, for which I > would like to generate a certificate. The web interface supports > generating a CSR, but it's not possible to customize very much, > and this gives

[Freeipa-users] Re: Certificate profile to ignore (drop) email in SAN - possible?

On Tue, Jul 06, 2021 at 01:29:48PM -0400, Rob Crittenden via FreeIPA-users wrote: > Ian Pilcher via FreeIPA-users wrote: > > I've hit a roadblock while trying to generate a certificate for > > a VMware vSphere appliance. > > > > The VMware "Certificate Management" tool doesn't allow one to > >

[Freeipa-users] Re: Solve freeipa 'fragility' via orchestrated containers & whole-container upgrade?

On Wed, Jun 02, 2021 at 01:55:36PM -0500, Harry G. Coin via FreeIPA-users wrote: > Long time freeipa users have faced a certain 'fragility' freeipa has > inherited, mostly as a result of freeipa being the 'band director' over > a number of distinct subsystems maintained by various groups across

[Freeipa-users] Re: ACME admin replication conflict

On Mon, May 31, 2021 at 08:50:43PM +0200, Stijn De Weirdt via FreeIPA-users wrote: > hello all, > > > in our setup ipa-healthcheck reports an issue with a replication > conflict on "dn: cn=Enterprise ACME Administrators,ou=groups,o=ipaca" > > the conflict and valid entry are almost identical:

[Freeipa-users] Re: Removal of host certificates

On Wed, May 19, 2021 at 11:54:03AM +, Gerrard Geldenhuis via FreeIPA-users wrote: > Hi > I am trying to remove old host certificates. > > I generated a list using: > ipa cert-find --sizelimit 0 > > One of the certs are: > Issuing CA: ipa > Subject: CN=server.example.com,O=COMPANY.COM >

[Freeipa-users] Re: What FQDN to use to get the LDAP server when there are multiple masters

On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via FreeIPA-users wrote: > Hi, > > We have FreeIPA with three masters. To get to the LDAP server > we can use either of the three. To configure a service you must > come up with a FQDN for the LDAP server. Until now we have > simply selected

[Freeipa-users] Re: How to set IPA RA key length

On Wed, Mar 10, 2021 at 07:26:52PM -0500, Rob Crittenden via FreeIPA-users wrote: > Yevhen Syvachenko via FreeIPA-users wrote: > > Hi, > > > > Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA > > and the hosts' certificates. > > > > Having all the rumor about

[Freeipa-users] Re: default certificate validity length should be less than 1 year.

On Wed, Feb 24, 2021 at 09:21:04PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On ke, 24 helmi 2021, Alan Latteri via FreeIPA-users wrote: > > Now that Mozilla and other browsers will not Trust a certificate with a > > validity length longer than a year, FreeIPA should change the default

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

On Tue, Feb 16, 2021 at 09:52:27AM -0500, Bret Wortman wrote: > I found my error and got past this and completed the rest of the > steps up to setting up the new server. Is there an easy way to > test a certificate granted by their CA to see if it's now going to > be accepted on a system where

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

On Tue, Feb 16, 2021 at 09:23:23AM -0500, Bret Wortman wrote: > Because the full CN is actually "damascusgrp.com DG Web Team Root > CA", does that complicate this or do I just need to find a way to > add all that as a host? I'm sorry. Yes it does. I misread the DN! My apologies. I will think

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote: > Fraser, > > It doesn't look like we fit the model. Our IPA CA's cert is as > expected, but the other one is: > > $ openssl x509 -noout -in web-ca.crt -issuer issuer= > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote: > We had a developer team deploy their own CA and then issue a slew > of certificates for users' workstations and other servers, and now > they want us to deploy those certificates more widely. I'd rather > find a way

[Freeipa-users] Re: ipaCertSubject uniqueness check

On Sat, Dec 12, 2020 at 05:49:53PM -, Khurrum Maqb via FreeIPA-users wrote: > I got it resolved - IPA does not seem to support importing a > rechained external CA. It doesn't seem to have anything to do with > ipaCertSubject being unique but it's something else where there > are two different

[Freeipa-users] Re: FreeIPA using external CA

On Tue, Nov 17, 2020 at 06:21:51PM -, A. Karampatziakis via FreeIPA-users wrote: > Hi Fraser, > > Thanks for the quick reply. > We had tried the --ca-subject before with no success.. > It turns out the problem was with the order of the components in the DN. > Your comment helped to go

[Freeipa-users] Re: FreeIPA using external CA

On Tue, Nov 17, 2020 at 12:53:19PM -, A. Karampatziakis via FreeIPA-users wrote: > Hi all, > > For a project we want to use FreeIPA with external CA. > We are using v4.6.6 on centos7.8. > > The guides instruct to use command ”ipa-server-install --external-ca”, get > the CSR and run the

[Freeipa-users] Re: FREEIPA - TLS - CN > 64 characters

On Wed, Oct 21, 2020 at 07:21:21AM -, Krzysztof O via FreeIPA-users wrote: > > On Mon, Oct 19, 2020 at 11:42:08PM +1000, Fraser Tweedale via FreeIPA-users > > wrote: > > Found the ticket: https://pagure.io/freeipa/issue/5706 > > > > I also wrote a b

[Freeipa-users] Re: FREEIPA - TLS - CN > 64 characters

On Mon, Oct 19, 2020 at 11:42:08PM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Mon, Oct 19, 2020 at 06:52:20AM -, Krzysztof O via > FreeIPA-users wrote: > > Hello, > > > > I'd like to ask of is there any workaround for issuing > > certificates tha

[Freeipa-users] Re: FREEIPA - TLS - CN > 64 characters

On Mon, Oct 19, 2020 at 06:52:20AM -, Krzysztof O via FreeIPA-users wrote: > Hello, > > I'd like to ask of is there any workaround for issuing > certificates that will have Common Name longer that 64 characters? > > For FREEIPA version less than 4.8.0 which is designated for RHEL > 8, when

[Freeipa-users] Re: Adding subjectAltName when the certificate is signed

On Mon, Oct 12, 2020 at 09:36:26AM +0200, Radoslaw Kujawa via FreeIPA-users wrote: > Hi. > > On 10/12/20 3:05 AM, Fraser Tweedale via FreeIPA-users wrote: > > On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users > > wrote: > > > On 10/8/

[Freeipa-users] Re: Adding subjectAltName when the certificate is signed

On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users wrote: > Hi. > > On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote: > > Radosław Kujawa via FreeIPA-users wrote: > > > Hi list. > > > > > > Is it possible to add email subjectAltName to a certificate when it is

[Freeipa-users] Re: Replace Web UI Cert

On Wed, Oct 07, 2020 at 03:58:19AM -, Chuck Musser via FreeIPA-users wrote: > ok got it. I did the kinit to do the update and was able to import the cert > and update the certs collection. > > It took several attempts and the above advice to get the right procedure, but > to recap, the

[Freeipa-users] Re: Replace Web UI Cert

On Tue, Oct 06, 2020 at 09:07:17PM -, Chuck Musser via FreeIPA-users wrote: > Thanks for pointing me in the right direction. I created a PKCS#12 file with > the certificate, private key and the full certificate chain and tried to > install it, but it needed to have my CA's cert installed,

[Freeipa-users] Re: [offlist] Re: Re: Modify LDAP/HTTP to add alternative names

reeIPA-users > > > wrote: > > > > On 28/09/2020 08.01, Fraser Tweedale via FreeIPA-users wrote: > > > > > On Thu, Sep 24, 2020 at 02:15:11PM -, Willie Lima via > > > > > FreeIPA-users wrote: > > > > > > Hi guys, > > &g

[Freeipa-users] Re: [offlist] Re: Re: Modify LDAP/HTTP to add alternative names

On Tue, Sep 29, 2020 at 09:44:16AM -0400, Simo Sorce via FreeIPA-users wrote: > On Tue, 2020-09-29 at 14:01 +0200, Christian Heimes via FreeIPA-users > wrote: > > On 28/09/2020 08.01, Fraser Tweedale via FreeIPA-users wrote: > > > On Thu, Sep 24, 2020 at 02:15:11PM -, Wi

[Freeipa-users] Re: IPA CA request ID reuse issue

On Fri, Sep 18, 2020 at 05:02:39PM -, Boris Sukhinin via FreeIPA-users wrote: > > Would you mind having a look through the DS error and access logs on > > the affected system, to see if there are any clues about why the VLV > > index became inconsistent? > > It seems there are no records of

[Freeipa-users] Re: Modify LDAP/HTTP to add alternative names

On Thu, Sep 24, 2020 at 02:15:11PM -, Willie Lima via FreeIPA-users wrote: > Hi guys, > > I have 12 freeipa servers deployed with integrated DNS and CA > (realm and domain int.example.com). > > I would like to make a DNS round-robin, for instance: request > ldap.int.example.com and forward

[Freeipa-users] Re: IPA CA request ID reuse issue

On Thu, Sep 17, 2020 at 12:41:37PM -, Boris Sukhinin via FreeIPA-users wrote: > I can confirm that rebuilding VLV solved the issue. After restoring > overwritten certificate requests from backup we were able to add new replicas > to the FreeIPA cluster without any problems. > > Fraser,

[Freeipa-users] Re: IPA CA request ID reuse issue

On Wed, Sep 16, 2020 at 05:26:14AM -, Boris Sukhinin via FreeIPA-users wrote: > It seems the problem is with a single replica only. Is was > assigned request id range 19990001-2000. Requests > 19990001-19990008 were submitted some time ago, and requests > 19990001-19990005 were

[Freeipa-users] Re: IPA CA request ID reuse issue

On Wed, Sep 16, 2020 at 11:29:05AM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Tue, Sep 15, 2020 at 02:20:49PM -, Boris Sukhinin via FreeIPA-users > wrote: > > I try to add a new replica to a cluster of 3 freeipa servers. > > ipa-replica-install --setup-ca f

[Freeipa-users] Re: IPA CA request ID reuse issue

On Tue, Sep 15, 2020 at 02:20:49PM -, Boris Sukhinin via FreeIPA-users wrote: > I try to add a new replica to a cluster of 3 freeipa servers. > ipa-replica-install --setup-ca fails with an error: > [5/28]: configuring certificate server instance > ipaserver.install.dogtaginstance: CRITICAL

[Freeipa-users] Re: Running external cert management on Ipa server?

On Thu, Sep 10, 2020 at 06:12:18PM +0100, Dominik Vogt via FreeIPA-users wrote: > On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users > wrote: > > > a customer wants to use the Redhat certificate system instead of > > > the one built into freeipa. AFAIK both use dogtag

[Freeipa-users] Re: FreeIPA certificate doesn't validate in iOS

On Mon, Sep 07, 2020 at 05:52:12PM +0200, Jochen Kellner wrote: > > Hello, > > thanks for your suggestions, I'll answer below. TL;DR: seems to work now. > > Fraser Tweedale via FreeIPA-users > writes: > > > First of all: is the IPA CA certificate (or if it

[Freeipa-users] Re: FreeIPA certificate doesn't validate in iOS

Hello, First of all: is the IPA CA certificate (or if it is externally signed, one of the superior certificates) in the trust store on the user's iPhone? Other comments inline. On Sun, Sep 06, 2020 at 11:24:22AM +0200, Jochen Kellner via FreeIPA-users wrote: > > Hello, > > I'm running IPA on

[Freeipa-users] Re: pki-tomcatd not starting

On Thu, Aug 13, 2020 at 02:43:33AM +, Scott Z. via FreeIPA-users wrote: > Just in case it helps to narrow things down a bit or answers questions... > 1) The problem IdM server is the CA Master as far as I can tell (ran the > command "ipa config-show", saw that the IPA CA renewal master: was

[Freeipa-users] Re: PKI for Windows

On Sat, Jul 18, 2020 at 12:45:03AM +, Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > I need to issue some certificates for the AD Environment and I > don’t have ADCS in place. So my FreeIPA deployment was with a self > signed CA and the common AD Trust enabled. > > Now with this issue

[Freeipa-users] Re: Adding new replica with CA fails.

On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote: > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden wrote: > > > > Guillermo Fuentes via FreeIPA-users wrote: > > > Hi Flo, > > > Here is the value of the entry: > > > # certificateRepository, ca, ipaca > > > dn:

[Freeipa-users] Re: CSR in PRINTABLESTRING enc when docs says UTF8STRING is default

On Mon, Apr 13, 2020 at 08:50:38AM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On su, 12 huhti 2020, Fredrik Arneving via FreeIPA-users wrote: > > Hi Alexander, > > > > Thank you for explaining this to me. > > Next question: > > > > Given that my "oranizationName" is given on the

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On Wed, Mar 11, 2020 at 09:26:54AM +0200, Alexander Bokovoy wrote: > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: > > > Makes me look at this a different way. Perhaps change the certstore to > > > only return valid CA certs. That way they are stored if an

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On Tue, Mar 10, 2020 at 08:39:39PM -0400, Rob Crittenden wrote: > Fraser Tweedale wrote: > > On Tue, Mar 10, 2020 at 10:25:01AM -0400, Rob Crittenden wrote: > >> Fraser Tweedale via FreeIPA-users wrote: > >>> On Fri, Mar 06, 2020 at 12:48:50PM +0200, Alexander Bo

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On Tue, Mar 10, 2020 at 10:25:01AM -0400, Rob Crittenden wrote: > Fraser Tweedale via FreeIPA-users wrote: > > On Fri, Mar 06, 2020 at 12:48:50PM +0200, Alexander Bokovoy via > > FreeIPA-users wrote: > >> On pe, 06 maalis 2020, Sigbjorn Lie via FreeIPA-users wrote: > &

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On Fri, Mar 06, 2020 at 12:48:50PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On pe, 06 maalis 2020, Sigbjorn Lie via FreeIPA-users wrote: > > > On 4 Mar 2020, at 14:27, Alexander Bokovoy via FreeIPA-users > > > wrote: > > > > > > On ke, 04 maalis 2020, Sigbjorn Lie via FreeIPA-users

[Freeipa-users] Re: Certificates for embeded devices and old equipment.

Hi Kendrick, Please give more detail about exactly what you did and what the errors were. FWIW the warning below does not seem relevant to your issue. Thanks, Fraser On Thu, Feb 20, 2020 at 02:01:22AM -, Kendrick . via FreeIPA-users wrote: > I have a older kvm that is requiring an

[Freeipa-users] Re: external cert sign request - how to sign?

On Thu, Feb 13, 2020 at 11:59:34AM +, lejeczek via FreeIPA-users wrote: > hi everyone, > > how, if possible at, to have IPA sing a cert sign request which is > not part of IPA's domain/realm? > > many thanks, L. > You sure can. Just add the host principal for the name you want, and use it

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

On Wed, Feb 12, 2020 at 07:41:00PM -0500, Christopher Young wrote: > I think I found the issue (posting here in case someone else runs into > something similar). It's Apple's doing. > https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/ > > Basically, I have my default certificate

[Freeipa-users] Re: Revocation process for FreeIPA Sub CA issued by ms-ca

On Wed, Feb 12, 2020 at 10:35:00PM +, Christopher Lord via FreeIPA-users wrote: > Attempting to reply to the proper thread instead of to Rob privately. > Please forgive my inexperience with mailing lists. > > Thanks Rob, > > I thought that was probably the case. Is it at all possible to

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

On Wed, Feb 12, 2020 at 05:54:34PM -0500, Christopher Young wrote: > Interesting enough, I don't get this problem on my Fedora workstation > or a co-worker on a Windows-based system, so I'm currently > troubleshooting it as an issue on the Mac (which has Symantec Endpoint > Protection on it that I

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

On Tue, Feb 11, 2020 at 05:40:14PM -0500, Christopher Young via FreeIPA-users wrote: > I have a weird issue where I have my RHV (RedHat Virtualization) > environment system that has an IPA-issued certificate in place. This > has been working very well for some time. > > In any case, I'm

[Freeipa-users] Re: Command to export sub-ca certificate

On Wed, Feb 05, 2020 at 06:19:16PM -, Jakob Ackermann via FreeIPA-users wrote: > this is exactly what I tried before and the puppet agent complaint > that it could not find the CA his certificate was signed with. > This is a limitation in puppet. > OK, thanks for clarifying. > Rob's answer

[Freeipa-users] Re: Command to export sub-ca certificate

On Tue, Feb 04, 2020 at 01:51:43PM -0500, Rob Crittenden via FreeIPA-users wrote: > Jakob Ackermann via FreeIPA-users wrote: > > The client is joined to the IPA domain and gets a certificate from the > > sub-ca `puppet` with `ipa-getcert request -x puppet`. In order to have > > the puppet agent

[Freeipa-users] Re: Upgrade freeipa without CA

On Wed, Jan 29, 2020 at 03:13:15PM -0400, Terry Soucy via FreeIPA-users wrote: > Hi Everyone, > > I'm in the process of testing a CentOS 6 to CentOS 7 migration of our IPA > servers (ipa-server-3.0.0 to ipa-server-4.6.5). I have successfully added a > 4.6.5 IPA server to my 3.0.0 replicas in my

[Freeipa-users] Re: External CA renewal and self-signed surprise

On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users wrote: > On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote: > > > The question remains: how do I get rid of the self-signed CA entirely? > > Best hint toward this I've managed to find thus far is in the comments on >

[Freeipa-users] Re: COPR repositories changes

On Thu, Dec 19, 2019 at 05:17:05PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > Hi, > > thanks to the recent changes done by Dinesh(master[1] and ipa-4-8[2]), > it is now possible to have continuous rebuild of FreeIPA master and > ipa-4-8 branches using COPR repositories. > > We now have

[Freeipa-users] Re: /var/log/pki/pki-tomcat/ca/debug

On Tue, Dec 10, 2019 at 09:22:19AM +0100, Ronald Wimmer via FreeIPA-users wrote: > I cannot remember to have set anything to "debug" regarding CA. > Nevertheless, these files are growing continuously: > > -rw-r-. 1 pkiuser pkiuser 1.6G Dec 10 09:15 > /var/log/pki/pki-tomcat/ca/debug >

[Freeipa-users] Re: FreeIPA having problem after upgrading from Fedora 30 to 31

Hi Patrick, I want to follow up with this. Did you get things working again? With the latest packages for both f30 and f31, I upgraded a FreeIPA installation from f30 to f31 without encountering any problems. Perhaps the jss issue caused the system to enter a poor state during the initial

[Freeipa-users] Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run

On Tue, Nov 26, 2019 at 09:46:02AM +0300, Александер Скобельцын wrote: > Of course. > > dn: uid=ipara,ou=people,o=ipaca > cn: ipara > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: cmsuser > userCertificate: >

[Freeipa-users] Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run

On Mon, Nov 25, 2019 at 02:47:46PM -, Alexander Skobeltsin via FreeIPA-users wrote: > Several days ago my freeipa (4.4) server was broken due to expiration of all > certificates ( except ca of course). Because of in 4.4 was no such handy > tool, as ipa-cert-fix, but lots of recovery

[Freeipa-users] Re: FreeIPA having problem after upgrading from Fedora 30 to 31

Is there anything in the dirsrv log relating to the connection attempt? Connection Refused could in fact be a TLS handshake error (the TLS handshake also includes certificate authentication). Cheers, Fraser On Wed, Oct 30, 2019 at 10:47:54PM +0800, Patrick Dung via FreeIPA-users wrote: > Hello

[Freeipa-users] Re: How to make ipa root certificate available system wide

On Mon, Oct 14, 2019 at 05:50:47PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 14 loka 2019, Kevin Vasko wrote: > > Welp, I'm an idiot and you are completely 100% correct. > > > > It was indeed revoked, but the http servers certificate was revoked > > and not the client..which is

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Thu, Oct 10, 2019 at 12:09:48PM +0100, lejeczek via FreeIPA-users wrote: > On 01/10/2019 02:21, Fraser Tweedale wrote: > > On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > >> On 09/09/2019 01:07, Fraser Tweedale wrote: > >>> On Fri, Sep 06, 2019 at 12:01:23PM +0100,

[Freeipa-users] Re: How to make ipa root certificate available system wide

On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote: > Seems to happen on both Ubuntu 16.04 and 18.04. > > $ lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description:Ubuntu 16.04.6 LTS > Release:16.04 > Codename: xenial > > $ firefox

[Freeipa-users] Re: How to make ipa root certificate available system wide

On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote: > Hello, > > I’m wanting to make our https servers use a trusted certificate within our > LAN only. So for example if I have websrv1.ny.example.com when a user uses a > machine that’s enrolled into our realm and they

[Freeipa-users] Re: ipa vault: internal error, "Invalid Credential"

On Tue, Oct 01, 2019 at 07:14:17PM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Tue, Oct 01, 2019 at 10:51:37AM +0300, Alexander Bokovoy via FreeIPA-users > wrote: > > On ti, 01 loka 2019, Dmitry Perets via FreeIPA-users wrote: > > > Hi, > > > > >

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Tue, Oct 01, 2019 at 09:09:52AM +0100, lejeczek wrote: > On 01/10/2019 02:21, Fraser Tweedale wrote: > > On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > >> On 09/09/2019 01:07, Fraser Tweedale wrote: > >>> On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via

[Freeipa-users] Re: ipa vault: internal error, "Invalid Credential"

On Tue, Oct 01, 2019 at 10:51:37AM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ti, 01 loka 2019, Dmitry Perets via FreeIPA-users wrote: > > Hi, > > > > Posting back here, in case someone gets this issue in the future... > > > > The problem turned out to be that IPA put wrong CA cert

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > On 09/09/2019 01:07, Fraser Tweedale wrote: > > On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > >> hi guys, > >> > >> how to manage those? > >> > >> Why are these missing in "standard" IPA

[Freeipa-users] Re: Enabling more FreeIPA CA servers

. The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc. Cheers, Fraser > On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users > wrote: > > > > Hi Stuart, > > > > Adding the freeipa-users@ mailing l

[Freeipa-users] Re: Enabling more FreeIPA CA servers

On Mon, Sep 30, 2019 at 08:19:15AM +0100, Stuart McRobert wrote: > Dear Fraser, > > Thanks, I've retained the CC but will probably need to join. > > > I think your idea to first try creating a CA replica on F28 before > > moving forward to F30 is a sensible thing to try. > > I will explore

[Freeipa-users] Re: Enabling more FreeIPA CA servers

Hi Stuart, Adding the freeipa-users@ mailing list for visibility. I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that. I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to

[Freeipa-users] Re:

On Wed, Sep 25, 2019 at 10:06:49AM +, Nazan CENGİZ via FreeIPA-users wrote: > Hi, > > Who is the name of the community? > Do you have an existing slack group? > Thanks. > Find us on IRC, #freeipa on Freenode. Cheers, Fraser > >

[Freeipa-users] Re: log dispatching for IPA servers

Hi Nazan, I'm not sure what are the best practices for log dispatching on IPA servers, or what is suitable for your customer's environment and requirement. I assume the customer is running RHEL and therefore wants the solution to only use supported components. Adding freeipa-users@ for a wider

[Freeipa-users] Re: Certmonger managed certificate signed by sub-ca

Is the sub-CA key present in the Dogtag NSSDB on ipa01? To see the list of private keys, execute `certutil -d /etc/pki/pki-tomcat/alias -K'. The password is the value of 'internal=' in /etc/pki/pki-tomcat/password.conf. Cheers, Fraser On Tue, Sep 17, 2019 at 06:46:37PM -, Ben Rawson via

[Freeipa-users] Re: Certmonger managed certificate signed by sub-ca

On Thu, Sep 12, 2019 at 02:10:22PM -0400, Ben Rawson via FreeIPA-users wrote: > Thanks for the quick response Fraser. I did some more digging based on your > suggestions, and I think I have a pretty good handle on whats going on. > > We actually have 3 ipa servers, with ipa01 being the CA master.

[Freeipa-users] Re: ipa-kra-install fails: Failed to update number range.

On Thu, Sep 12, 2019 at 03:33:26PM -, Dmitry Perets via FreeIPA-users wrote: > Hi, > > I've created a new IPA replica. > ipa-replica-install has completed successfully. > ipa-ca-install has completed successfully as well. > However, ipa-kra-install fails. > > In the terminal the fails right

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Mon, Sep 09, 2019 at 11:12:54AM +0100, lejeczek wrote: > On 09/09/2019 01:07, Fraser Tweedale wrote: > > On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > >> hi guys, > >> > >> how to manage those? > >> > >> Why are these missing in "standard" IPA installations and

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > hi guys, > > how to manage those? > > Why are these missing in "standard" IPA installations and how to get > them in? > > many thanks, L. > Do you mean in the IPA CA certificate, or in the end-entity certificates?

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Fri, Sep 06, 2019 at 11:27:52AM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Thu, Sep 05, 2019 at 10:12:10AM -, David Etchen via FreeIPA-users > wrote: > > Ahh of course sudo I was trying su. > > > > I'm on Centos 7.6 running freeipa 4.6.4 all from t

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Thu, Sep 05, 2019 at 10:12:10AM -, David Etchen via FreeIPA-users wrote: > Ahh of course sudo I was trying su. > > I'm on Centos 7.6 running freeipa 4.6.4 all from the standard yum packages. > > It does look to be the exact same issue as you posted about Fedora 30. > Thanks. I will need

[Freeipa-users] Re: Certmonger managed certificate signed by sub-ca

On Thu, Sep 05, 2019 at 09:07:48PM -, Ben Rawson via FreeIPA-users wrote: > I'm having some trouble getting sub-ca signed certificates issued and managed > by certmonger. The implementation here > [https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I > see that the -X

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Wed, Sep 04, 2019 at 03:08:30PM -, David Etchen via FreeIPA-users wrote: > Hi Fraser, > > Thanks for replying. > > I've restarted both sides like you suggested but still don't see a > difference. I can see the back off time has started again like you said. > >

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Wed, Sep 04, 2019 at 12:33:27PM -, David Etchen via FreeIPA-users wrote: > Hi Guys, > > I have a 2 host basic IPA setup both IPA servers are running dns & > ca. I'm running on Centos 7.6 using freeipa version 4.6.4 & > dogtag version 10.5.9 > > I've made a subCA called vpnca and a

[Freeipa-users] Re: DIRSRV external signed cert questions

On Fri, Aug 09, 2019 at 11:06:58PM -, Boyd Ako via FreeIPA-users wrote: > This involves the `ipa-server-certinstall` command. > > 1) If I used the option to install P12 for dirsrv, will dirsrv being doing > OCSP validation? If so, is there away for me to disable OCSP validation? > Do you

  1   2   3   >