Zarko D via FreeIPA-users wrote:
>> There is a way to disable the selftest but this is a sort of last resort.
>
> Hi Rob, I am afraid disabling SelfTest is maybe the way to resolve the issue.
> Are there any documentation on this, IPA 4.4.0 and pki-server 10.3.3
> There is a way to disable the selftest but this is a sort of last resort.
Hi Rob, I am afraid disabling SelfTest is maybe the way to resolve the issue.
Are there any documentation on this, IPA 4.4.0 and pki-server 10.3.3
___
FreeIPA-users mailing
Hi Rob, any idea why going back in time prevents named running. It looks it's
active but with errors. The returning to the present, service doesn't have any
errors.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe
> This doesn't . You are forcefull going back in time. As long as it
> doesn't prevent named from starting and at least limping along then it
> isn't worth pursuing until the certs are renewed.
I can confirm that going back in time prevents named running. It looks it's
active but with errors.
From what I experience, during " killing ntpd, going back a few days, restart
krb5kdc, dirsrv, httpd and the CA then certmonger", service
ipa-dnskeysyncd.service is failing.
Aug 10 10:19:18 ca-ldap04 ipa-dnskeysyncd: ipa : DEBUGKerberos
principal:
Hi Flo and Rob, additional update.
There is discrepancy in some of cert's expire time among 4 servers, I thought
maybe another server can be candidate to be new renewal master.
The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well,
hence "ipa config-show" on all 4 servers
Agree Flo, making sure that I am in the past, unfortunately still not
resolution.
[root@ca-ldap01 ~]# systemctl restart krb5kdc
[root@ca-ldap01 ~]# systemctl restart dirsrv@DOMAIN-COM.service
[root@ca-ldap01 ~]# systemctl restart httpd
[root@ca-ldap01 ~]# systemctl restart
On 10/26/18 7:36 AM, Z D via FreeIPA-users wrote:
Hi Rob, I follow one of your suggestions in another post, it's :
"certmonger _should_ have renewed them. Try killing ntpd, going back a few days,
restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what happens"
I did it, no
Hi Rob, I follow one of your suggestions in another post, it's :
"certmonger _should_ have renewed them. Try killing ntpd, going back a few
days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what
happens"
I did it, no success with messages:
- MainThread ipa DEBUG
Hi Rob, thanks much.
Some of Flo's blogs about CA helps me to understand better now. Sure "ipa
cacert-manage renew" and "ipa-certupdate" was run before, hopefully not
harmful, "caSigningCert cert-pki-ca" was valid for 18 more years.
You're right, there is mix of old and renewed ones, three
Z D via FreeIPA-users wrote:
> No, CA component is not running, and seems not much activity under
> /var/log/pki/pki-tomcat. Maybe these can be of interest:
>
> [1] selftests.log
> 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
> SystemCertsVerification: system certs
No, CA component is not running, and seems not much activity under
/var/log/pki/pki-tomcat. Maybe these can be of interest:
[1] selftests.log
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
SystemCertsVerification: system certs verification failure: Certificate
ocspSigningCert
On 10/25/18 8:11 AM, Z D via FreeIPA-users wrote:
Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and
/var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM
INITIALIZED ===
Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and
/var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM
INITIALIZED ===
java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid:
On 10/23/18 5:24 AM, None via FreeIPA-users wrote:
Hi Flo, the journalctl reports that request is rejected, error 2.
dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to
dogtag-ipa-renew-agent
dogtag-ipa-renew-agent-submit[29558]: GET
Hi Flo, the journalctl reports that request is rejected, error 2.
dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to
dogtag-ipa-renew-agent
dogtag-ipa-renew-agent-submit[29558]: GET
http://ca-ldap01.:8080/ca/ee/ca/profileSubmit?profil
dogtag-ipa-renew-agent-submit[29558]: Apache
Hi Flo, your feedback helps, thanks a lot !!!
Interestingly, 'ipa config-show' read that none of four (4) server is renewal
master. I suspect it's the one that's installed first, indeed it has file
/var/lib/ipa/pki-ca/publish/MasterCRL.bin
Finally I fixed that so ca-ldap01 now reads as "IPA CA
On 10/20/18 5:40 AM, None via FreeIPA-users wrote:
Thanks Flo.
[1] Service pki-tomcatd@pki-tomcat.service is active (running)
[2] /var/log/pki/pki-tomcat/ca/debug reads among others:
- SSL handshake happened
- Could not connect to LDAP server host ca-ldap03.us.domain.com port 636 Error
Thanks Flo.
[1] Service pki-tomcatd@pki-tomcat.service is active (running)
[2] /var/log/pki/pki-tomcat/ca/debug reads among others:
- SSL handshake happened
- Could not connect to LDAP server host ca-ldap03.us.domain.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
-
On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote:
Hi there,
This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.
After reboot I couldn't start ipa service via systemctl, hence I run
"ipactl start --ignore-service-failures" and this was kind of
successful. I still have some
20 matches
Mail list logo
