Hi,
> Are they visible from the command-line, ipa cert-find ?
I see 202 entries same as the web UI. None are valid. I see some REVOKED,
EXPIRED and others without status
> All Firefox or just one instance?
What do you mean by all Firefox? It's only when I connect to the FreeIPA web UI
Eric Boisvert via FreeIPA-users wrote:
> Good morning,
>
> That did the trick!
>
> The root certificate and the IPA certificate were missing from
> /etc/httpd/nssdb.
>
>
> Here are few questions that is still have:
>
> From what I can understand /etc/httpd/nssdb isn't a default database.
Good morning,
That did the trick!
The root certificate and the IPA certificate were missing from /etc/httpd/nssdb.
Here are few questions that is still have:
From what I can understand /etc/httpd/nssdb isn't a default database. Does
/etc/httpd/alias would have been updated with
Eric Boisvert via FreeIPA-users wrote:
> Good afternoon,
>
> The configuration seem to have been put in /etc/httpd/client.conf see below:
>
>>
>>
>> ServerName client
>>
>> NSSEnforceValidCerts off
>>
>> NSSEngine on
>>
>> NSSCipherSuite
Good afternoon,
The configuration seem to have been put in /etc/httpd/client.conf see below:
>
>
> ServerName client
>
> NSSEnforceValidCerts off
>
> NSSEngine on
>
> NSSCipherSuite
>
Hi,
I hope I got everything right: on client.qc.lrtech.ca
you have configured apache, and it
should be using a certificate delivered by IPA and monitored by certmonger.
Certmonger is monitoring the cert 'Server-Cert' that is stored in the NSS
database */etc/httpd/nssdb*. From your description,
Good morning,
> if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem",
> the new root CA will be loaded in the LDAP server with the right trust
> flags. Then "ipa-certupdate" will download it from the LDAP server and put
> it into all the relevant NSS databases / files with the
Hi,
On Wed, Mar 16, 2022 at 3:14 PM Eric Boisvert via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Sorry for the third reply in a row,
>
> A coworker was able to fix the
>
> GSSError: Major (851968): Unspecified GSS failure. Minor code may provide
> more information, Minor
Sorry for the third reply in a row,
A coworker was able to fix the
GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639122): Generic preauthentication failure
by doing
# kinit admin
# mv /etc/krb5.keytab /etc/krb5.keytab-BACKUP
#
Good morning,
Little update
My client time wasn't synchronize with NTP. After doing so I got a new error
message.
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
See ipa-certupdate -v output below:
> # ipa-certupdate -v
>
Good afternoon,
> Firefox stores the trusted CAs and you can manually remove the conflicting
> one: Edit > Settings > Privacy & Security > Certificates > View
> Certificates...
> In the Authorities tab, you can look for your original root CA (for which
> the key was lost) / the one that you
Hi,
On Tue, Mar 15, 2022 at 2:19 PM Eric Boisvert via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Good morning,
>
> I don't know what happened, but this morning the ipa cert-show 1 command
> is working and it's showing an old certificate.
>
> That's normal as the cert with
Good morning,
I don't know what happened, but this morning the ipa cert-show 1 command is
working and it's showing an old certificate.
Also the CMS error is gone on the FreeIPA server.
Firefox is still showing the error message.
After copying the /etc/pki/ca-trust/source/ipa.p11-kit from the
> What is the serial number for the two "QC.LRTECH.CA IPA CA"
> certificates? Are they different? If not that would explain the Firefox
> error.
They are different:
Serial Number: 4098 (0x1002)
Serial Number: 00:8a:58:8a:64:a9:7d:dc:a0
> On the IPA server with the CA up, does ipa cert-show 1
I suppose we tackle these one at a time.
The older CA certificate can be deleted eventually which will prevent it
from being re-added by ipa-certupdate. I think for now we defer on that.
What is the serial number for the two "QC.LRTECH.CA IPA CA"
certificates? Are they different? If not that
Good afternoon,
I was able to find a date where it's possible to start IPA services
successfully (2022-03-02).
Is it possible to clear IPA from bad certificates?
I see four "QC.LRTECH.CA IPA CA" certificates in:
certutil -L -d /etc/ipa/nssdb
certutil -L -d /etc/httpd/alias
certutil -L -d
Hi,
in your previous email, the output of certutil shows that the new root CA
isn't trusted in some databases (flag is ,, instead of CT,C,C). You can
change the trust flags with certutil -M -t CT,C,C -d -n
.
The 2nd thing to take into account: if you change the date in the past in
order to
Good morning Everyone,
I made little progress this weekend. I'm currently in a state where all my
service in the ipactl status command are running, but if I restart, the
pki-tomcatd service show netscape.ldap.LDAPException: Authentication failed
(48) in the debug ouput when executing ipactl -r
> - how many IPA servers do you have with a CA role? ipa server-role-find
> --role "CA server"
We only have one IPA server executing the above command return:
ipa: ERROR: cannot connect to 'https://freeipa.qc.lrtech.ca/ipa/json':
Could not connect to freeipa.qc.lrtech.ca using any address:
Hi,
let's get an accurate status first:
- how many IPA servers do you have with a CA role? ipa server-role-find
--role "CA server"
- among those, which one is the renewal master? ipa config-show | grep
renewal
- can you provide the full output of "getcert list" executed on the IPA
renewal master
-
Good morning everyone,
Unfortunately before being able to renew my clients CA I need to fix an issue
that prevent FreeIPA from starting. With the help of a coworker we found that
pki-tomcatd failed to start.
We then found this documentation about the problem:
Eric Boisvert via FreeIPA-users wrote:
> I did a kinit with my admin user and enter the password.
>
> Now ipa-certupdate -v return:
>
> # ipa-certupdate -v
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
> ipa: DEBUG: Loading Index file from
>
I did a kinit with my admin user and enter the password.
Now ipa-certupdate -v return:
# ipa-certupdate -v
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Starting external
You need to do a kinit first.
rob
Eric Boisvert via FreeIPA-users wrote:
> Thank you for you quick answer,
>
> I just tried to call ipa-certupdate but I get the following error from
> Kerberos.
>
> # ipa-certupdate -v
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
>
Thank you for you quick answer,
I just tried to call ipa-certupdate but I get the following error from Kerberos.
# ipa-certupdate -v
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
Hi,
You need to call ipa-certupdate on all the IPA hosts (servers/clients), in
order to import the new root CA to all the NSS databases used by the
various IPA services, as well as /etc/ipa/ca.crt and a few other files.
flo
On Thu, Mar 10, 2022 at 3:49 PM Eric Boisvert via FreeIPA-users <
Good morning Florence,
You guessed right!
By changing some details in the root CA subject the command ipa-cacert-manage
renew worked.
We now have a root CA valid until 2042 and a FreeIPA CA valid until 2027.
I'm now trying to manually renew my vm certificate with the command ipa-getcert
Hi,
On Wed, Mar 9, 2022 at 10:12 PM Eric Boisvert via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Good afternoon Rob,
>
> TL;DR We cant renew FreeIPA certificate because we lost our Root
> certificate private key and replacing it doesn't work
>
> We are currently using:
>
Good afternoon Rob,
TL;DR We cant renew FreeIPA certificate because we lost our Root certificate
private key and replacing it doesn't work
We are currently using:
- CentOS Linux release 7.3.1611 (Core)
- FreeIPA 4.4.0-14.el7.centos.1.1
Our certificate structure look like this:
Eric Boisvert via FreeIPA-users wrote:
> Hi,
>
>
>
> We are looking for help on CA certificate renewal with FreeIPA under a
> Linux environment. We went through most of the FreeIPA documentation
> available and we couldnt fix our issue yet.
>
>
>
> Is there an expert on this topic that
30 matches
Mail list logo