On Mon, Nov 25, 2019 at 03:39:10PM -0500, Jean Figarella via FreeIPA-users
wrote:
> Hi, I have a customer that has both, RHEL 7 and RHEL 6 clients failing
> logins with these "s2n exop request failed" errors.
> >
> > (Sat Nov 16 12:40:21 2019) [sssd[be[devunx.ulalaunch.com]]]
> >
On ma, 25 marras 2019, Mizuki Karasawa via FreeIPA-users wrote:
Hi all,
We started looking into OTP features provided by IPA in our facility.
In our environment, majority of our machines are located in the private
network, users access them via external-facing Gateways. We want to
enforce MFA
Dmitri Moudraninets wrote:
> Hi Rob,
>
> I recovered the key file. Restarted FreeIPA and certmonger. Now issue
> looks different:
> image.png
>
> Subjects disappeared. If I click on a certificate 29 I see this:
> cannot connect to
>
Several days ago my freeipa (4.4) server was broken due to expiration of all
certificates ( except ca of course). Because of in 4.4 was no such handy tool,
as ipa-cert-fix, but lots of recovery methods, that I found in Google were
using it, I decided to upgrade my broken freeipa to 4.5 ( by
Here’s an approach that will work if you’re on the kdc. Become root. Run
kadmin.local.
ktadd -k XXX.kt -norandkey XXX
-rorandley is the equivalent of -r
That creates a key table XXX.kt (or adds to if it already exists). No password
needed except what you normally do to become root.
On Nov
Hi Rob,
Some good news. I did the same with the secondary server. Now on secondary
server I can navigate through GUI with out any errors
(authentication->certificates->certificates). But on the first server
Subjects are missing and all certificates are grayed-out except one.
Another good thing -
Hi Rob,
I did the following:
I removed original ra-agent.pem and ra-agent key
and
openssl x509 -in /root/debug.cert -out /var/lib/ipa/ra-agent.pem
chown root:ipaapi /var/lib/ipa/ra-agent.pem
chmod 0440 /var/lib/ipa/ra-agent.pem
restorecon /var/lib/ipa/ra-agent.pem
Successfully restarted
John Stokes via FreeIPA-users wrote:
> Hi Rob,
>
> You are right. The certs are automatically tracked and renewed. I have two
> IPA servers. When using the command getcert list on the first one it did not
> show me any of the certificates I have issued for my servers (I'm talking
> about ssl
Dmitri Moudraninets wrote:
> Hi Rob,
>
>
>
> I did the following:
> I removed original ra-agent.pem and ra-agent key
> and
> openssl x509 -in /root/debug.cert -out /var/lib/ipa/ra-agent.pem
> chown root:ipaapi /var/lib/ipa/ra-agent.pem
> chmod 0440 /var/lib/ipa/ra-agent.pem
> restorecon
Hi Rob,
You are right. The certs are automatically tracked and renewed. I have two IPA
servers. When using the command getcert list on the first one it did not show
me any of the certificates I have issued for my servers (I'm talking about ssl
sertificates for web servers in my network).
But
Everything works again, thank you for all the help.
On 22.11.19 16:08, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
The journal shows this on idm1 the CA renewal master (the same on the
replicas only different time)
Nov 3 07:37:47 idm1 certmonger:
You were right, The file CA key was not necessary I just concatenated the
host and CA public key and used the host private key to generate the
Keystore correctly.
I did the question due some documents mentioning commands like this one
where a the ca-key file is required.
1.
1. Sign the
Hi, I have a customer that has both, RHEL 7 and RHEL 6 clients failing
logins with these "s2n exop request failed" errors.
>
> (Sat Nov 16 12:40:21 2019) [sssd[be[devunx.ulalaunch.com]]]
> [sdap_process_result] (0x2000): Trace: sh[0x219b840], connected[1],
> ops[0x3209440], ldap[0x218dd00] (Sat
Hi all,
We started looking into OTP features provided by IPA in our facility. In
our environment, majority of our machines are located in the private
network, users access them via external-facing Gateways. We want to enforce
MFA on our gateway and allow users to have freedom SSH-ing into any
Hi all,
We started looking into OTP features provided by IPA in our facility. In our
environment, majority of our machines are located in the private network, users
access them via external-facing Gateways. We want to enforce MFA on our gateway
and allow users to have freedom SSH-ing into any
On Mon, Nov 25, 2019 at 02:47:46PM -, Alexander Skobeltsin via
FreeIPA-users wrote:
> Several days ago my freeipa (4.4) server was broken due to expiration of all
> certificates ( except ca of course). Because of in 4.4 was no such handy
> tool, as ipa-cert-fix, but lots of recovery
16 matches
Mail list logo
