> last init status: Error (0)
> last init ended: 1970-01-01 00:00:00+00:00
> last update status: Error (0) No replication sessions started since
> server startup
> last update ended: 1970-01-01 00:00:00+00:00
>
>
>
>
> On Thu, May 16, 2024 at 1:48 AM Flore
Folks,
Is changing the IP address possible for a CA replica? I am having a hard
time creating new CA replicas so to buy sometime I would like to change the
IP address of the CA replica if it's easy.
I have external DNS, we don't use freeIPA based DNS and all certs are
self-sign.
~S
--
? is it going to work and how?
On Thu, May 16, 2024 at 2:23 PM Rob Crittenden wrote:
> Satish Patel via FreeIPA-users wrote:
> > Folks,
> >
> > Trying to deploy CA on a replica node and failed here without any
> > information. Can I restart the process again? Even log directo
Folks,
Trying to deploy CA on a replica node and failed here without any
information. Can I restart the process again? Even log directories are
empty /var/log/pki/pki-tomcat
My OS is RockyLunux 8.9 and Master CA running on CentOS7.x
[root@ldap-vx-010103-3 ~]# ipa-ca-install
Directory Manager
1970-01-01 00:00:00+00:00
On Thu, May 16, 2024 at 1:48 AM Florence Blanc-Renaud
wrote:
> Hi,
>
> On Thu, May 16, 2024 at 4:05 AM Satish Patel via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Folks,
>>
>> I am trying
05 AM Florence Blanc-Renaud
wrote:
> Hi,
>
>
> On Thu, May 16, 2024 at 4:42 AM Satish Patel via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Folks,
>>
>> I have Master freeIPA running on CentOS 7 and now trying to migrate
Folks,
I have Master freeIPA running on CentOS 7 and now trying to migrate it to
RockyLinux 8.9 (because centos7 is EOL).
When I am running # ipa-replica-install --setup-ca I encounter following
error
Custodia uses 'ldap-vx-010101-4.site5.example.com' as master peer.
Configuring ipa-custodia
Folks,
I am trying to build some replicas and somehow they failed but because they
are half baked they are stuck in master nodes and not letting me remove
them. I have tried all the options and don't know how to get rid of them.
I want to remove ldap-vx-010103-1.site5.example.com and
e and likely for the other as well once you upgrade
> to RHEL 9.
>
> rob
>
> >
> > On Fri, May 10, 2024 at 8:42 AM Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote:
> >
> > Satish Patel via FreeIPA-users wrote:
> > > Folks,
> &
Hi Rob,
You are saying I have "3 ranges matched" but technically we only need "1
range". Sorry I am little new to freeIPA terms and not sure about what to
do to fix this issue?
On Fri, May 10, 2024 at 8:42 AM Rob Crittenden wrote:
> Satish Patel via FreeIPA-users wrote:
with keys, increasing lock attempts for logging in or (I
> personally do not use it) disable the locking IPA wide.
>
> On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Folks,
>>
>> I ha
Folks,
I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
CentOS7 and trying to add replica of RockyLinux 8.3
I am stuck here and not sure what it's actually trying to say and how to
fix it?
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
Folks,
I have noticed my admin account keeps getting locked out because of failed
attempts but I don't know from where and how. I tried to dig into logs but
didn't find any trace of attempt.
$ ipa-replica-manage list
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more
Folks,
I have a FreeIPA server running on CentOS7 and now I am trying to create a
replica copy using RockyLinux 9.3. When I try to join, the error related
cert expires. I have checked everywhere and didn't find any expired
certificates.
/usr/sbin/ipa-client-install -p admin -w
Folks,
We are running 4 freeIPA servers on CentOS 7.x in master-master replication
and life is good. But now it's time to say goodbye to CentOS. What can I do
to migrate them to Ubuntu OS?
Can I create one Ubuntu instance with freeIPA and join my existing freeIPA
cluster and slowly retire old
This has nothing to do with freeIPA. This is about how to move a virtual
machine from one environment to another.
On Tue, Sep 19, 2023 at 9:20 AM Srikanth Reddy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> I am new to this FreeIPA. If you don't mind could you please just
why don't you convert your vmdk into qcow2 format and import in a new cloud
location. That is what we did during vmware to openstack migration.
On Tue, Sep 19, 2023 at 1:51 AM Srikanth Reddy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Currently our FreeIPA is running as a
:
>
> On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users
> wrote:
> > Stuart,
> >
> > All i would say please run multiple CA servers in your ldap
> > infrastructure, otherwise you will be in very big trouble like i was
> > in, I had n
Stuart,
All i would say please run multiple CA servers in your ldap
infrastructure, otherwise you will be in very big trouble like i was
in, I had no idea about role of CA and was running single CA which we
lost and then we totally screwed and won't able to create any replica
or anything totally
wrote:
>
> Ok, thanks for the clarification. I will create brand new CA Master
> and retire older version.
>
> On Fri, Sep 27, 2019 at 12:02 PM Rob Crittenden wrote:
> >
> > Satish Patel via FreeIPA-users wrote:
> > > Can i upgrade my existing 4.4.x ldap-ca-m
Ok, thanks for the clarification. I will create brand new CA Master
and retire older version.
On Fri, Sep 27, 2019 at 12:02 PM Rob Crittenden wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Can i upgrade my existing 4.4.x ldap-ca-master with
> > "ipa-server-upgrade&q
>>>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '201909182
_pkicad
> >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> >>> "ocspSigningCert cert-pki-ca"
> >>> track: yes
> >>> auto-renew: yes
> >>> Request ID '20190918205433':
> >>> status: MONITORING
> >&
ate DB',pin set
> > certificate:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject
nd:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Rob,
> >
> > Here is the web certs
> >
> > [root@ld
_tracking_certificates(serverid)
> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> >> line 983, in start_tracking_certificates
> >> 'restart_dirsrv %s' % serverid)
> >> File "/usr/lib/python2.7/site-packages/ipaserver/inst
>
> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden wrote:
> >
> > Satish Patel wrote:
> > > I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
> >
> > Ok, that explains what is happening.
> >
> > Edit /var/lib/ipa/sysupgrade/sysupgrade.state an
ng RA Agent to modify profiles]
> >>> [Authorizing RA Agent to manage lightweight CAs]
> >>> [Ensuring Lightweight CAs container exists in Dogtag database]
> >>> [Adding default OCSP URI configuration]
> >>> [Ensuring CA is using LDAPProfileS
l7.centos.4.x86_64"
>
> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden wrote:
> >
> > Satish Patel via FreeIPA-users wrote:
> > > I did run "ipa-server-upgrade" and look like it was successful but
> > > still in getcert list showing CA_NEED
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > I did run "ipa-server-upgrade" and look like it was successful but
> > still in getcert list
> broke some stuff but anyway i will take snapshot of VM and try in
> > worst case scenario.
> With the VM snapshot you are on the safe side.
>
> flo
>
> >
> > On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud
> > wrote:
> >>
> &g
st case scenario.
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud wrote:
>
> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
> > Any thought ?
> Hi,
> if you run ipa-server-upgrade on this node, the command will fix the
> tracking of certs. You should see in t
gt; Inc.",L=Scottsdale,ST=Arizona,C=US
>
> subject: CN=Go Daddy Secure Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
>
> expires: 2031-05-03 07:00:00 UTC
>
> key usage: keyCert
p-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Few days ago my Master CA was messed up and getcert list was showing
> > empty list (no cert to
Few days ago my Master CA was messed up and getcert list was showing
empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca' -P XXX
getcert start-tracking -d /etc/pki/pki-tomcat/alias
You are awesome!!!
ipa topologysegment-del works!! and i am successfully able to remove bad replica
On Thu, Sep 19, 2019 at 6:08 PM Dmitry Perets via FreeIPA-users
wrote:
>
> Hi,
>
> Try using these, to delete replication agreements:
>
> ipa topologysegment-find
> ipa topologysegment-del
>
>
I am trying to remove old and bad replica from list but somehow it
didn't like what i am doing
[root@ldap-master ~]# ipa-replica-manage list -v `hostname`
ldap-1.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica
After googling i tried to run following test on ldap-b-3 (new replica
where it failed and got following)
[root@ldap-b-3 tmp]# python ipa-custodia-check.in `hostname` --verbose
[2019-09-18T16:33:51 ipa-custodia-tester] : Platform:
Linux-3.10.0-514.el7.x86_64-x86_64-with-centos-7.3.1611-Core
; > > last update status: Error (3) Replication error acquiring replica:
> > > Unable to acquire replica: permission denied. The bind dn does not
> > > have permission to supply replication updates to the replica. Will
> > > retry later. (permission denied)
> &
ate ended: 2019-09-16 15:56:55+00:00
> >
> >
> > [root@ldap-b-2 ~]# ipa-replica-manage list -v `hostname`
> > Directory Manager password:
> > ldap-b-1.example.com: replica
> > last init status: None
> > last init ended: 1970-01-01 00:00:00+00:00
> >
pdate ended: 2019-09-17 22:32:26+00:00
ldap-b-3.example.com i am trying to add in cluster throwing error for
CA_REJECT.
Let me know if you need more data or log?
On Tue, Sep 17, 2019 at 1:55 PM Rob Crittenden wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Folks,
> >
> >
Folks,
Stay with me while i explain my issue because its little complex, We
had 2 working ldap running in datacenter-A for many months and life
was good.
Last year company decided to shutdown datacenter-A and migrate
everything from there to new datacenter-B.
This is what i did for migration, I
42 matches
Mail list logo