Hello Flo,
sorry for the delay, I ran the ipa-healthcheck and all I got was warnings. I'm
going to try attaching the file here. I replaced the ldap01.app.uaap.maxar.com
with a new one with the DN= ldap.app.uaap.maxar.com and DNS aliases for
ldap[01..03].app.uaap.maxar.com because it made
I don't get it, the cert is valid and the master seems to be working just fine.
Any ideas as to how I need to approach this issue? I can rebuild the replicas
and get the certs updates done on each of the replicas, but I have tried that a
few times and it seems to still be unhappy with it.
I don't see that... here is where it is at the moment, and its been there for a
long while:
[root @ ldap02] /var/log
$ ipa-ca-install
Directory Manager (existing master) password:
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3
Found this in the logs:
INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
Technologies Inc,L=Herndon,ST=Virginia,C=US
WARNING: UNTRUSTED ISSUER encountered on
'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
Hey guys,
I finished installing two replicas of my master. Both installations of the
replicas completed successfully, but when I try to run the ipa-setup-ca it is
having some issues.
The errors I get are:
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
[root @ ldap01]
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT
also, am I looking at the correct one here?:
[root @ ldap01]
$ certutil -L -d
and this is from the ca/debug file:
2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect
to LDAP server: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8181) Peer's Certificate has
also, here is more in the journal:
-- Logs begin at Mon 2024-03-11 19:39:50 UTC, end at Tue 2024-03-12 02:11:21
UTC. --
Mar 11 19:40:19 ldap01.app.uaap.maxar.com systemd[1]: Starting PKI Tomcat
Server pki-tomcat...
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: Java virtual machine
[root @ ldap01] /home/rocky
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
1 service(s) are not running
starting ipa is failing for the
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running.
All other services are running fine, I can kinit admin and search for users, I
can also log into the UI and see everything. When I try to start the service I
see the following errors:
Mar 11 20:44:44
so, I have one master now and one client/replice... how do I go with building
a second master? is that the same as building just another ipa-server? like
ipa-server-install?
Do I need to have the same CA on both masters?
___
FreeIPA-users mailing
okay, so I get that part. Will the two masters with the CA service be able to
be replicas of each other?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hello guys,
I'm starting fresh with a 3 node cluster for freeipa. I just want to ask for
best practices here.
Should I build 3 nodes, each with the ipa-server, http, etc, etc... and then
try to replicate? or
should I build 1 node with everything and then build the other two nodes as
[root @ ldap01] ~
$ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service
ssh
Access granted: True
Matched rules: allow_all
Not matched rules: admins_allow_all
Not matched rules: allow_systemd-user
Not matched rules:
so, after disabling the `allow_all` I'm having issues... this user is allowed
in the `deepcore-bastion` rule, but he's getting denied:
[root @ ldap01] ~
$ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service
ssh
-
Access granted: False
okay, I think the rule `Matched rules: allow_all` was causing the issue... I
tested after disabling that rule and its working now. How can we close this
ticket?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe
from: ipa hbacrule-find
```
$ ipa hbacrule-find
7 HBAC rules matched
Rule name: admins_allow_all
Host category: all
Service category: all
Enabled: True
Rule name: allow_all
User category: all
Host category: all
Service category: all
Hello,
I have setup a bastion host with an IPA client in order to control access to
the bastion host by groups. I have users in different groups, but I just got
word that people outside the group / HBAC rule can access and login with their
IPA credentials. Everything seems okay with the
Hello Flo,
We have three (3) servers and two of them are replicas.
From the cli:
# `ipa-getcert list` shows two certs both expired,
# `getcert list` shows 8 certs, 7 of those expired.
We are working from the CA master and trying everything we have listed above.
We tried the ipa-cert-fix
but it seems that I'm getting the clock skew error for the directory service
every time I try to resubmit the cert renewal because the rolling back of the
date/time to the local server is affecting the clock for the directory service.
I think that's causing my renewals to fail.
not sure I follow your answers, can you clarify what I should be doing to get
those Errors or the `clock skew` issue resolved?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hello guys,
The team was trying some new things and we got some errors we would like to
share:
ERR - _csngen_adjust_local_time - Adjustment limit exceeded; value - ,
limit - (I'm not sure if you care to see the actual numbers)
ERR - ldbm_back_modify - failed to generate modify CSN for
Thanks, I got all the services up and running, yet I can't get the certs to
renew.
When I look at certmonger it seems to be having dbus connection issues. Are
those normal? I have tried to use the `resubmit` option for the certs ID but
that doesn't seem to work.
Thoughts?
Sorry, here is the link for the paste errors:
https://justpaste.it/57k4t
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Hello flo,
Thanks everyone for the support. I have tried to start the service and I will
like to attach the errors I'm getting. Please review attachments. Let me know
what you think I should do.
___
FreeIPA-users mailing list --
I'm trying to clean up the verbose logs, but I see four issues:
1. certutil: Could not find cert: trasnportCert cert-pki-kra
2. certutil: Could not find cert: storageCert cert-pki-kra
3. certutil: Could not find cert: auditSigningCert cert-pki-kra
4. Failed to update password
This one is
okay, now I am getting the following error:
Command: `pki-server cert-fix --ldapi-socket /var/run/slapd-.socket
--agent-uid ipara --cert sslserver --cert subsystem --cert ca_ocsp_signing
--cert ca_audit_signing --extra-cert 6' returned non-zero exit status 1
The ipa-cert-fix command failed.
I'm running version 4.6.8 and it does have the ipa-cert-fix. But when I run
it, I get this errors:
cannot connect to 'ldapi:.socket':
The api-cert-fix command failed.
Thoughts? Thank you
___
FreeIPA-users mailing list --
All my certs in IPA are expired and no matter what I do I can't get `getcert`
to renew them. I have changed the date back to before they expired but when I
try to restart IPA is trying to do an upgrade and fails.
I'm able to start kdc, directory services, http, pki-tomcat and certmonger, but
29 matches
Mail list logo