[Freeipa-users] Re: Errors in enrolling Ubuntu 14.04 Client to FreeIPA

Hi Florence, Thanks for your update. Tried copying the ca.crt file to /et/ipa and the installation went fine. Thanks and Regards, Alka Murali On Mon, Jul 31, 2017 at 3:58 PM, Florence Blanc-Renaud wrote: > On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote: > >>

[Freeipa-users] External Application Authentication Against FreeIPA LDAP Not Working

I've been trying to get this to work for a few days now all to no avail... I'm been running "FreeIPA, version: 4.3.1" for a few months now to authenticate a number of VMs that I grew tired of managing permissions on a individual basis and so far have been very pleased. Now, I'm attempting to use

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

Bull-eye Jakub, that did the trick. I should have posted for help on the mailing list sooner. Thanks you so much, you are saving my ass. It makes sense to increase the krb5_auth_timeout as my AD domain controllers servers are worldwide. Currently they exist in 3 regions: North America, Europe and

[Freeipa-users] Re: IPA replica with CA role problems

On 07/24/2017 10:25 PM, Fraser Tweedale wrote: Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log file (ideally the whole thing)? Also to clarify: ``ipa-replica-install --setup-ca'' installs a new replica including the CA role. To install the CA role on an existing replica use

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

Prasun Gera via FreeIPA-users wrote: > The entry is present on both master, and replica. Also, the status on > replica for those two has changed to *'ca-error: Invalid cookie: '''*. > The certs listed by certutil on both systems, as well as the ones listed > by the ldap query seem to match. When I

[Freeipa-users] Re: IP address in certificate

Mikaël ANDRE via FreeIPA-users wrote: > Hi evrybody, > > With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi > and HP ILO certificates to my FreeIPA server. > I create csr with the following command: "openssl req -new -sha256 > -nodes -config openssl.cfg -newkey rsa:2048 -keyout

[Freeipa-users] Re: Failed Upgrade?

Ian Harding via FreeIPA-users wrote: > I had an unexpected restart of an IPA server that had apparently had > updates run but had not been restarted. ipactl says pki-tomcatd would > not start. > > Strangely, the actual service appears to be running: > dogtag is an application within tomcat so

[Freeipa-users] Re: [Pki-users] Removal of obsolete certificates from o=ipaca

I agree with what Fraser says. Non-expired certs (revoked or not) should never be removed from the CA repository as that will affect the CRL I believe someone asked about this before, and we also warned them about that. Though I have no recollection how it worked out for them in the end.

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count. On Jul 25, 2017, at 09:11, Grant Janssen > wrote: grant@ef-idm02:~[20170725-9:05][#56]$

[Freeipa-users] Re: can not restart httpd service after certificate renewal

Hello Florence, > the tool ipa-cacert-manage is used to renew IPA CA certificate, not the > https certificate. It is a common mistake (IPA CA certificate is the > certificate authority that has delivered the https and ldaps certificates). Yes > But now that you have renewed the CA

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

The entry is present on both master, and replica. Also, the status on replica for those two has changed to *'ca-error: Invalid cookie: '''*. The certs listed by certutil on both systems, as well as the ones listed by the ldap query seem to match. When I try to resubmit, there is also this message

[Freeipa-users] Re: Errors in enrolling Ubuntu 14.04 Client to FreeIPA

On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote: Hello Florence, I have checked the output for the ldapsearch command and I can see the IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA Server. Even I tried installing the client by giving the option

[Freeipa-users] Re: Password History

On Fri, Jul 28, 2017 at 9:27 PM, Rob Crittenden via FreeIPA-users wrote: > John Trump via FreeIPA-users wrote: >> I am using FreeIPA 4.4 and have implemented a password policy where >> password history is set to 24. If a password admin or the user "admin" >>

[Freeipa-users] Re: 5 bad replicas, can't remove, need these clean before I can re-add secondary replicas.

On 07/28/2017 07:56 PM, Jake via FreeIPA-users wrote: All I see are responses like yours, how about a link or add it to the documentation since it's such a problem?! if the ruvs cannot be decoded, the ipa command line utility does not work, you have to execute a plain cleanallruv task, an

[Freeipa-users] IP address in certificate

Hi evrybody, With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi and HP ILO certificates to my FreeIPA server. I create csr with the following command: "openssl req -new -sha256 -nodes -config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr" My OpenSSL configuration