Nick Polites via FreeIPA-users wrote:
> UPDATE:
>
> I have resolved the issue. The problem all stemmed from the
>
> $getcert list
>
> Having expired certificates. I had to startup IPA using
>
> ipactl start --ignore-service-failures
>
> and then issue the
>
> getcert resubmit -i <>
>
>
On 30/09/2022 15:38, Nick Polites via FreeIPA-users wrote:
UPDATE:
I have resolved the issue. The problem all stemmed from the
$getcert list
Having expired certificates. I had to startup IPA using
ipactl start --ignore-service-failures
and then issue the
getcert resubmit -i <>
One certific
I compounded the issue by running a yum upgrade and updating IPA. Every time
IPA started it wanted to upgrade but being in a broken state due to the invalid
certs from the current version it could not upgrade.
___
FreeIPA-users mailing list -- freeipa-
UPDATE:
I have resolved the issue. The problem all stemmed from the
$getcert list
Having expired certificates. I had to startup IPA using
ipactl start --ignore-service-failures
and then issue the
getcert resubmit -i <>
One certificate came up as CA_UNREACHABLE but had a valid expiration
Nick Polites via FreeIPA-users wrote:
> Is it possible to export the users/passwords/groups and polices from my other
> IPA server which is working and import them into here? I guess I could use a
> data only backup from there and import it here.
>
> Are there any additional steps that I need to
Is it possible to export the users/passwords/groups and polices from my other
IPA server which is working and import them into here? I guess I could use a
data only backup from there and import it here.
Are there any additional steps that I need to do?
___
Hi Rob,
This server hlipa03 was the hostname and IP of the server I had the issues with
yesterday. I thought if I got the backup it would be best to create a new VM
and import the backup. I still have the original boot image of the broken one I
can bring back if I need to.
When I run a ipa-rep
Nick Polites via FreeIPA-users wrote:
> Apologies for jumping the gun here, I tried to run a full backup and now I am
> seeing the following error:
>
>
> Sep 28 09:12:38 hlipa03 sssd[ldap_child[12778]]: Failed to initialize
> credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication
One other error I see is this and I think this is the one related to tomcat not
working
server: Internal Database Error encountered: Could not connect to LDAP server
host hlipa03.acme.com port 636 Error netscape.ldap.LDAPException:
Authentication failed (49)
Nick Polites via FreeIPA-users wrote:
> Hi Mark,
>
> Thank you so much. Hopefully everything will stay up now. It is crazy how
> much the configuration file breaks if the upgrade fails. I'll report back
> tomorrow hopefully we are in business.
For the record, it's IPA that changes those listene
Apologies for jumping the gun here, I tried to run a full backup and now I am
seeing the following error:
Sep 28 09:12:38 hlipa03 sssd[ldap_child[12778]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.
Unable to create GSSAPI-encrypted LDAP c
All,
I had enough time to run an ipa-backup --data to get the users exported out
before it shut down. I created a new VM and after setting IPA on the same
version was able to import the backup from the broken VM. The users are all
showing now. Thanks to everyone's help with this.
_
While everything starts up correctly, it stops working after a while. I see the
following error in the logs
Sep 27 20:34:46 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most
recent call last):#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 515, in
#012
s
Hi Mark,
Thank you so much. Hopefully everything will stay up now. It is crazy how much
the configuration file breaks if the upgrade fails. I'll report back tomorrow
hopefully we are in business.
___
FreeIPA-users mailing list -- freeipa-users@lists.fe
On 9/27/22 4:36 PM, Nick Polites via FreeIPA-users wrote:
I added the nsslapd-securePort: 636 but port 636 is not listening. 389 is
working. Do I need to do something else to get 636 working?
nsslapd-security needs to be "on" for the secure port to be activated.
This does require as server
I added the nsslapd-securePort: 636 but port 636 is not listening. 389 is
working. Do I need to do something else to get 636 working?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le.
That is probably what I was doing wrong. Thanks for letting me know.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fe
Hi Rob,
It is now working! Thanks for your help. What I did was re-run the
ipa-server-upgrade while in another window editing the dse.ldif file and
updating the nsslapd-port manually. I ran through the update, rebooted and now
389 is listening as well as the IPA web UI.
I appreciate the help a
If you are editing dse.ldif manually while dirsrv is running, do not do
that. Stop the service first and then edit the file.
The service loads dse.ldif into ram upon startup and writes changes made
using ldapmodify out upon being shut down or restarted.
On 9/27/22 15:33, Nick Polites via Free
The nsslapd-port keeps resetting to 0 when I restart the dirsrv.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedora
Hi Rob,
Thanks for the reply. I am not able to find a nsslapd-securePort in the
dse.ldif file, but the nsslapd-port is set to 0. When I update that and reboot
it is reset back to 0.
IPA Server is ipa-server-4.6.5-11.0.1.el7_7.3.x86_64
And just to be sure for now I want to just test starting L
Nick Polites via FreeIPA-users wrote:
> Hello,
>
> I ran into this issue which was compounded when I ran a yum update and IPA
> needed to run an upgrade. I rolled back the update to get it to stop
> requesting an upgrade. I see two issues here and not sure if they are
> related. Note I removed
22 matches
Mail list logo