I'm trying to install an Let's Encrypt certificate using the setup-le.sh script
provides by the freeipa github repo.
It all goes fine but it finishes/stops with:
ipa: INFO: Systemwide CA database updated.
ipa.ipaclient.install.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate
command was succ
Appreciate the reply
I think it may only be the webUi that is busted
- kinit works fine
- I can resolve AD users
- I can login with my AD credentials
- krb5dc.log is just full of errors about clients not being in the
database (likely a replication failure issue)
So from the command line thing
Are you able to authenticate with kinit?
Does krb5kdc.log shows you some error?
On 11/17/2017 12:17 PM, Chris Dagdigian via FreeIPA-users wrote:
Did the "yum upgrade" followed by "sudo ipa-server-upgrade" followed by
a reboot on two different IPA servers
Now the webUI fails on both. The we
Hi Guys,
Is there a proven way to set the WebGui cert back to a self signed one
? I have installed an expired 3rd party certificate and want to move
back to a selfsigned cert and later on to an letsEncrypt one.
Setting back the time before the expiration of the certificate on the
server would be
Hi again,
No joy yet with spotting CA anomalies. Any additional tips there Rob?
Gentle bump Simon, are you confident that building a new replica won't fall
foul of the below from the upgrade page (the schema part):
Words of caution
- Note that the server is in a *maintenance mode* during upg
Did the "yum upgrade" followed by "sudo ipa-server-upgrade" followed by
a reboot on two different IPA servers
Now the webUI fails on both. The webUI error is:
Cannot connect to the server, please check API accesibility
(certificate, API, proxy, etc.)
httpd error log says this:
[Fri Nov
Running in debug mode definitely shows a recently expired cert and running
it again this time only shows the correct hostname now unlike before. Is
this cert something that I can regenerate/renew? I'll find out about
getting a new host to test with as well.
[root@ipa1 ~]# ipa-replica-prepare --d
Hi folks,
its always worth reading the code.
ipa-client-install of freeipa 3.0.2 uses
wget http://ipa1.example.de/ipa/config/ca.crt
to grab the CA certificate. It seems that ipa-cacert-manage
(CentOS 7.3) did not upgrade /usr/share/ipa/html/ca.crt on
the servers when I migrated to the n
On Fri, Nov 17, 2017 at 04:09:01AM +, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
>
> Is it possible to enable two-factor authentication using Google Authenticator
> on FreeIPA on specific hosts or groups of hosts?
>
> Alternatively, are there any recommendations on modifying the