As part of my debugging efforts (see "Expired certificates" thread), I
changed modified the settings for the dogtag-ipa-renew-agent and
dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note
of the original settings.
Are these correct for IPA 4.4 (on CentOS 7)?
CA 'SelfSign':
On 06/20/2017 11:38 PM, Ian Pilcher wrote:
If I don't specify the SSL_DIR, the curl command works, so it
definitely seems to be an issue with the NSS database in
/etc/httpd/alias. I don't see anything obviously wrong with the trust
flags, though:
# certutil -d /etc/httpd/alias -L
On 06/20/2017 10:38 PM, Rob Crittenden wrote:
Are these three the only expired certs?
For now ...
What version of IPA?
ipa-server-4.4.0-14.el7.centos.7.x86_64
Did you restart IPA after going back in time? If not, try that, then
restart certmonger and it should renew the certs.
Ian Pilcher via FreeIPA-users wrote:
> After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
>
> I see this (repeated many times) in the journal:
>
> WARNING: Exception processing realm
> com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
>
After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
I see this (repeated many times) in the journal:
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
I see this (repeated many times) in the journal:
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
On ti, 20 kesä 2017, Robert Johnson wrote:
I ran into this exact same problem with my IPA domain in a one way external
trust to our Windows 2012 R2 AD forest. It appears that Microsoft may have
removed the routing suffix option from the Windows 2012 R2 native forest
trust gui. My solution was
I ran into this exact same problem with my IPA domain in a one way external
trust to our Windows 2012 R2 AD forest. It appears that Microsoft may have
removed the routing suffix option from the Windows 2012 R2 native forest
trust gui. My solution was to follow the instructions in the "Define
On Jun 20, 2017, at 10:48 AM, Rob Crittenden via FreeIPA-users
>
wrote:
John Bowman via FreeIPA-users wrote:
What would be the best method to stand up a new IPA environment while
keeping as much of the existing
On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote:
Please see the attached screenshot for the Trust settings, and thank you
for your time.
Thanks. I'm not sure why is that happening even for the immediate forest
root domain that i.rdmedia.com is. I'll check with Microsoft doc help
team
Please see the attached screenshot for the Trust settings, and thank you
for your time.
On 20 June 2017 at 19:36, Tiemen Ruiten wrote:
> On 20 June 2017 at 18:07, Alexander Bokovoy wrote:
>
>> On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users
Here is an odd problem (I think).
I am using IPA in one environment, and want to set up a replica in
another environment through natted connections. I can setup the client
to the NAT server, but here is the tricky part - IPA is also DNS. So if
I try to bring the DNS setup over with --
On 20 June 2017 at 18:07, Alexander Bokovoy wrote:
> On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote:
>
>> Hello,
>>
>> I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date:
>> rpm
>> versions are 4.4.0-14.el7.centos.7) with a two-way,
John Bowman via FreeIPA-users wrote:
> What would be the best method to stand up a new IPA environment while
> keeping as much of the existing data as possible?
>
> I've read that the ipa migrate-ds only migrates the users and groups and
> the recommended suggestion is to set up a replica. I'd
Hello,
I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: rpm
versions are 4.4.0-14.el7.centos.7) with a two-way, non-transitive,
external trust to an Active Directory domain in another forest,
clients.rdmedia.com, (Windows Server 2012R2). I've setup the trust using
the
Yeah did not look like the same issue, but just wanted to make sure just in
case. This gives me at least an idea on where to keep looking and I'll do a
little more research and see what else I can find on this as well before I make
any changes.
Thank you very much for the help!
On 06/20/2017 02:31 PM, john.bowman--- via FreeIPA-users wrote:
These steps wouldn't be documented somewhere would they?
no, I am not aware of
I did find this older thread:
https://www.redhat.com/archives/freeipa-users/2016-August/msg00035.html
Something similar to those steps?
this
These steps wouldn't be documented somewhere would they? I did find this older
thread:
https://www.redhat.com/archives/freeipa-users/2016-August/msg00035.html
Something similar to those steps?
Thank you for the help very much appreciated!
___
doh. Yes, I did mean 17.04. /facepalm
On Tue, Jun 20, 2017 at 9:40 AM, Timo Aaltonen wrote:
> On 15.06.2017 15:39, David Harvey via FreeIPA-users wrote:
> > Hope this helps to save some of some time digging. And I know,
> > freeipa-server on a non LTS release is daft..
>
>
On 15.06.2017 15:39, David Harvey via FreeIPA-users wrote:
> Hope this helps to save some of some time digging. And I know,
> freeipa-server on a non LTS release is daft..
did you mean 17.04, since 4.4.4-1 is in 17.10 and fixed all the issues
you listed.. ?
Hi,
unfortunately replication conflicts for managed entries have additional
difficulties. The origin and managed entries reference the
"non-conflict" entry and teh managed entry plugin prevents the deletion
of a managed entry via ldapmodify.
To procede in cleanup you could try to remove the
Thanks, this did exactly what I wanted.
Regards,
Peter
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
22 matches
Mail list logo