[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users
On Thu, May 25, 2017 at 01:39:46PM +0200, Günther J. Niederwimmer via FreeIPA-users wrote: > Hello, > > after the mistake with Startcom CA (Class 3), now I look for a new > Certificate.. > > Is it possible and functional to install a Letsencrypt CA on a IPA-Server? > > I have found a script

[Freeipa-users] Illegal cross-realm ticket

2017-05-25 Thread Jake via FreeIPA-users
Hey Guys, Centos7.3 FreeIPA 4.4.0 I'm having a strange issue with cross-realm tickets that I'm having a hard time troubleshooting. it looks similar to an issue posted back in 2014. https://www.redhat.com/archives/freeipa-users/2014-October/msg00207.html but this routes file seems to

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Rob Crittenden via FreeIPA-users
Jason Sherrill via FreeIPA-users wrote: > Opened in incognito, same error: "An error occurred: an invalid token > was found." It's hard to say, it works for me though. I'll ping the FAS maintainer and see what I can find out. rob > > On Thu, May 25, 2017 at 12:12 PM, Martin Bašti

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-25 Thread Rob Foehl via FreeIPA-users
On Thu, 25 May 2017, Fraser Tweedale wrote: This is not correct. The CA cert must be valid for the leaf cert to be valid, but the CA cert *can* be renewed without requiring leaf certificates to be reissued. So long as the following conditions are met, everything will be fine: 1. The CA's key

[Freeipa-users] Re: Setting up IPA server on an already domain joined machine

2017-05-25 Thread Simo Sorce via FreeIPA-users
On Mon, 2017-05-22 at 10:17 +, doug.ke...@wipro.com wrote: > Hi, > > > I'm wondering if anyone else has done something similar to us, and if so am > wondering how you went about it or if it is indeed at all possible. > > > Our situation is: > > > * We have a few VMs which are domain

[Freeipa-users] Re: krbLastSuccessfulAuth

2017-05-25 Thread Simo Sorce via FreeIPA-users
On Tue, 2017-05-23 at 13:07 -0400, Chris Apsey via FreeIPA-users wrote: > All, > > We use freeIPA as the LDAP backend for OpenStack Keystone, GitLab, and a > few other things. We have been looking for a way to keep track of the > last time a user logged on, and the obvious answer seems to be

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Jason Sherrill via FreeIPA-users
I successfully logged-in, but encountered some issues. While using Chrome on http://www.freeipa.org/page/Special:OpenIDLogin, clicking the *Fedora *button and then the *Login/create account with OpenID* button initially loaded a completely empty page and, after reloading, displayed an error. I

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread Bitskrieg via FreeIPA-users
Günther, The script from github works fine (https://github.com/freeipa/freeipa-letsencrypt). We use it in production on CentOS 7. Keep in mind the script by will only configure the certificate for the web ui, and not LDAP/s. You will need a separate process for that. Chris On May 25,

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread John Keates via FreeIPA-users
Hi, Instead of using the Let’s Encrypt thing on the IPA server itself, I often just use it on a reverse proxy. This way the end-users see the verified CA and FreeIPA can keep doing it’s business. I tried to use ACME on the IPA server in the past, but it wasn’t very well integrated and caused

[Freeipa-users] CentOS 7 Letsencrypt CA

2017-05-25 Thread Günther J . Niederwimmer via FreeIPA-users
Hello, after the mistake with Startcom CA (Class 3), now I look for a new Certificate.. Is it possible and functional to install a Letsencrypt CA on a IPA-Server? I have found a script on "github" to install a Letsencript CA for FreeIPA (fedora), but can any tell me is this working with

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Martin Bašti via FreeIPA-users
Hello, could you please log in to wiki page, we can add permissions after initial login. Martin On 24.05.2017 16:39, Jason Sherrill via FreeIPA-users wrote: I would like to post the procedure that I used for configuring OS X 10.12 for use with IPA. My fedora account is

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users
On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote: > I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed > with --external-ca, and the resulting CSR signed with a validity period of > 30 days to test behavior around expirations. > > Upon booting