[Freeipa-users] Announcing freeIPA 4.6.5

2019-03-19 Thread Rob Crittenden via FreeIPA-users 
The FreeIPA team would like to announce FreeIPA 4.6.5 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

== Highlights in 4.6.5 ==

=== Enhancements ===

* Honor SRV record priority and weight
* Support for the IPAddr SAN type
* Added more indices to improve performance

=== Bug fixes ===
FreeIPA 4.6.5 is a stabilization release for the features delivered as a
part of 4.6.0.

There are more than 18 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.


== Resolved tickets ==
* 7883 Cannot install ipa-server on rhel7
* 7852 pki spawn fails for IPA replica install from RHEL6 IPA master
* 7803 Missing index on idnsName
* 7797 SSSD's getservby*() causes performance issues
* 7796 ipa-replica-install fails migrating CentOS 6 to 7
* 7792 Missing index on ipaconfigstring
* 7786 Index accessruletype, hostcategory, ipaenabledflag,
ipserviceport, and ipserviceprotocol by default
*  new prci_definitions memory requirements
* 7775 IPA Upgrade failed with "unable to convert the attribute
u'cACertificate;binary'"
* 7770 searching for ipa users by certificate fails
* 7751 add ipaapi user to the list of allowed uids in [ifp] section in
sssd configuration
* 7731 ipa-advise command points to old URL's.
* 7706 Adding 3rd Party CAs to IPA results in SmartCard preparation
script failure
* 7684 Re-installing replica on the same system displays 'WARNING:
cannot check if port 443 is already configured'
* 7681 ipa server uninstall with -v option displays "IOError: [Errno 9]
Bad file descriptor Logged from file ipautil.py, line 442"
* 7666 ipa-server-install script is failing when using the
"--no-dnssec-validation" parameter combined with the "--forwarder"
* 7659 ipa trust-add fails in FIPS mode.
* 7644 ipa-server-upgrade displays 'DN: cn=Schema
Compatibility,cn=plugins,cn=config does not exists or haven't been updated'
* 7642 Installation fails: Replica Busy
== Detailed changelog since 4.6.4 ==
Aleksei Slaikovskii (1):
  Prevent installation with single label domains

Alexander Bokovoy (10):
  ipaserver/dcerpc.py: handle indirect topology conflicts
  Allow anonymous access to parentID attribute
  Move fips_enabled to a common library to share across different
plugins
  ipasam: do not use RC4 in FIPS mode
  ipa-kdb: reduce LDAP operations timeout to 30 seconds
  ipa-sidgen: make internal fetch_attr helper really internal
  ipaserver/dcerpc: fix exclusion entry with a forest trust domain
info returned
  make sure IPA_CONFDIR is used to check that client is configured
  Processing of server roles should ignore errors.EmptyResult
  Update template directory with new variables when upgrading
ipa.conf.template

Anuja More (2):
  Test for ipa-client-install should not use hardcoded admin principal
  Test for ipa-replica-install fails with PIN error for CA-less env.

Armando Neto (11):
  ipaserver config plugin: Increase search records minimum limit
  Prevent the creation on users and groups with numeric characters only
  ipa-client-install: Update how comments are added by ipachangeconf
  ipa-server-install: fix zonemgr argument validator
  Fix pylint 2.0 return-related violations
  Fix pylint 2.0 conditional-related violations
  Fix Pylint 2.0 violations
  Disable Pylint 2.0 violations
  Fix regression: Handle unicode where str is expected
  ui_tests: fix test_config::test_size_limits
  Fix certificate type error when exporting to file

Christian Heimes (67):
  Sort and shuffle SRV record by priority and weight
  Increase WSGI process count to 5 on 64bit
  Always set ca_host when installing replica
  Improve and fix timeout bug in wait_for_entry()
  Use common replication wait timeout of 5min
  Fix replication races in Dogtag admin code
  Use 4 WSGI workers on 64bit systems
  Add test case for allow-create-keytab
  Require python-ldap with fix for ref counting bug
  Use freeipa/ci-ipa-4-6-f27 for PR-CI
  Ensure that public cert and CA bundle are readable
  Always make ipa.p11-kit world-readable
  Make /etc/httpd/alias world readable & executable
  Fix permission of public files in upgrader
  Catch ACIError instead of invalid credentials
  Import ABCs from collections.abc
  Query for server role IPA master
  Only create DNS SRV records for ready server
  Delay enabling services until end of installer
  Fix CA topology warning
  Fix race condition in get_locations_records()
  Auto-retry failed certmonger requests
  Wait for client certificates
  Tune DS replication settings
  Fix DNSSEC install regression

[Freeipa-users] Re: different security policy for login(password+otp) and screenlock (password only) for workstation

2019-03-19 Thread Jelle de Jong via FreeIPA-users 

Hello everybody,

Thank you all for replying.

On 18/03/2019 20:44, Jakub Hrozek wrote:

On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:

On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:

Hello everybody,


I am looking for a way to have different authentication policy for a
freeia-client logout and screenlock on linux workstations.

When a user logs in I want to use my password+otp (this is working)!

When a user locks it screen I want to be able unlock it with only the
password.

When a user logs out and back in then it needs to use the password+otp
again.

I am aware of the security implications for this.

How can I configure this policy?

I don't think there is a way to deploy such policy through SSSD at all.

Jakub, do you have an idea how to make that possible?


Currently I can't think of anything clean either. Is the lock screen and the
login manager the same PAM service? If they are different, maybe some
hack like letting pam_unix to always read the password and then just
pass it on to pam_sss would work..

But I know Sumit is working on improving the 2FA prompting lately, so
maybe this will be improved in the upcoming release.


I seem to have mate-screensaver, lightdm and xrdp-sesman.

Will that be enough to hook a custom pam rule together for mate-screensaver?

If not is it possible to disable OTP for all the destkop systems in 
sssd.conf? and have it still working for all other systems with 
--user-auth-type=otp as only enabled option in freeipa?


Also for laptop systems in offline

disable_preauth
forward_pass

Mar 19 18:54:50 workstation01 mate-screensaver-dialog: 
pam_unix(mate-screensaver:auth): authentication failure; logname= 
uid=350600021 euid=350600021 tty=:10.0 ruser= rhost=  user=jdejong


Mar 19 18:54:51 workstation01 mate-screensaver-dialog: 
pam_sss(mate-screensaver:auth): authentication success; logname= 
uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong


Mar 19 18:56:48 workstation01 xrdp-sesman[788]: 
pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 
euid=0 tty=xrdp-sesman ruser= rhost=  user=jdejong


Mar 19 18:56:48 workstation01 xrdp-sesman[788]: 
pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 
tty=xrdp-sesman ruser= rhost= user=jdejong


Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): 
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
user=jdejong


Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): 
authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
user=jdejong


cat /etc/pam.d/mate-screensaver
@include common-auth
auth optional pam_gnome_keyring.so

cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth[success=2 default=ignore]  pam_unix.so nullok_secure
auth[success=1 default=ignore]  pam_sss.so use_first_pass
# here's the fallback if no module succeeds
authrequisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
authrequiredpam_permit.so
# and here are more per-package modules (the "Additional" block)
authoptionalpam_ecryptfs.so unwrap
authoptionalpam_cap.so
# end of pam-auth-update config

sssd   1.16.1-1ubuntu1.1

root@workstation01:~# ls -hal /etc/pam.d/
total 136K
drwxr-xr-x   2 root root 4,0K Mar 15 11:35 .
drwxr-xr-x 161 root root  12K Mar 19 18:22 ..
-rw-r--r--   1 root root  384 Jan 25  2018 chfn
-rw-r--r--   1 root root   92 Jan 25  2018 chpasswd
-rw-r--r--   1 root root  581 Jan 25  2018 chsh
-rw-r--r--   1 root root 1,3K Mar 11 16:11 common-account
-rw-r--r--   1 root root 1,4K Mar 11 16:11 common-auth
-rw-r--r--   1 root root 1,6K Mar 11 16:11 common-password
-rw-r--r--   1 root root 1,6K Mar 11 16:11 common-session
-rw-r--r--   1 root root 1,5K Mar 11 16:11 common-session-noninteractive
-rw-r--r--   1 root root  606 Nov 16  2017 cron
-rw-r--r--   1 root root   69 Mar 27  2018 cups
-rw-r--r--   1 root root  884 Mar 22  2018 lightdm
-rw-r--r--   1 root root  551 Mar 22  2018 lightdm-autologin
-rw-r--r--   1

[Freeipa-users] Re: urgent help needed, ipa unusable after short power cut

2019-03-19 Thread Florence Blanc-Renaud via FreeIPA-users 

On 3/19/19 11:08 AM, Marisa Sandhoff via FreeIPA-users wrote:

Dear all,

thank you very much for your help.

After some more searching, I found that this command (from
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/)

[root@ipa2 ~] certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca'

shows that there is a valid certificate:

Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: ...
 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Issuer: "CN=Certificate Authority,O=PLEIADES.UNI-WUPPERTAL.DE"
 Validity:
 Not Before: Fri Jan 25 08:55:41 2019
 Not After : Thu Jan 14 08:55:41 2021
 Subject: "CN=CA Subsystem,O=PLEIADES.UNI-WUPPERTAL.DE"
 Subject Public Key Info:
 Public Key Algorithm: PKCS #1 RSA Encryption
 RSA Public Key:



But then I get:

[root@ipa2 ~]# grep internal /var/lib/pki/pki-tomcat/conf/password.conf
| cut -d= -f2 > /tmp/pwdfile.txt

[root@ipa2 ~]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
Object Identifier.

[root@ipa2 ~]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
Object Identifier.
[root@ipa2 ~]#



What can I do?


Hi Marisa,
this may be a red herring. Did you try the next steps (comparison of the 
uid=pkidbuser,ou=people,o=ipaca usercertificate with the cert stored in 
/etc/pki/pki-tomcat/alias)?


flo

Thanks a lot!!!

Best regards,
Marisa




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeIPA Host certs

2019-03-19 Thread Florence Blanc-Renaud via FreeIPA-users 

On 3/19/19 4:18 PM, Azim Siddiqui wrote:

Hi Florence,

Thanks for the info. I will check for the ipa cert-find command and will 
send you the output. Actually, when I am trying to do  $ kinit admin it 
is asking for a password. And I am not sure about the password, as I 
said it was set by the previous system admin.



Hi
(re-adding freeipa-users in cc)

if you do kinit -kt /etc/krb5.keytab you should also have enough 
permissions to perform ipa cert-find.


And also I can see there is nssdb directory on the server. Do you by any 
chance know, what is that for?
There are many nssdb directories on a FreeIPA system. For instance 
/etc/ipa/nssdb is the NSS database used by the ipa * commands. It 
contains the certificates of the trusted certificate authorities. You 
can find more information re. NSS databases in the man page for certutil(1).




If I have the private key on the server, how can I renew the certificate 
signed by IPA. can you please provide me the steps.
If you have the private key in $NSSDB database you just need to follow 
the steps provided in my first email 
(https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/).


flo


thanks & Regards,
Azeem

On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud > wrote:


On 3/18/19 7:50 PM, Azim Siddiqui wrote:
 > Hi Florence,
 >
 > Thanks for your reply.
 > I am referring to the applications. For example, we have
 > Apache,haproxy,jenkins,git which uses certs signed by IPA. And
now when
 > I am browsing these applications urls. It is showing, this site
is not
 > secured.
 > And originally, This cert were created by a system admin, who is not
 > working with us now. So its getting hard for me to figure out,
how can I
 > create or renew the certs.
 >
 > And I don't see any files ssl.conf or nss.conf in the server.
 > The output for getcert list  command shows this :-
 > getcert list
 > Number of certificates and requests being tracked: 0.
 >
 >
 > I just want to create a crt and key file signed by IPA. So that I
can
 > use it for the browsers.
Hi,

please keep the users mailing list in cc, so that everyone can get
involved/see the resolution.

It is difficult to provide advice with so few information. Can you
start
by checking which certificates were already issued by FreeIPA, and
we'll
see if they are expired?

$ kinit admin
$ ipa cert-find

With the full output and based on the subject you'll be able to
identify
the host or service certs that you are using for your applications. For
each of these certs, run
$ kinit admin
$ ipa cert-show 
and the output will show if the cert is expired (check the Not After
field).

For an expired cert, you will be able to renew the cert if you still
have the private key. The private key location can be found by checking
the configuration of your applications.
For instance apache on rhel or fedora stores its config in
/etc/httpd/conf/httpd.conf, which by default loads the modules in
conf.modules.d/*.conf and the config files in conf.d/*.conf.

flo
 >
 > Thanks,
 > Azeem
 >
 >
 > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud
mailto:f...@redhat.com>
 > >> wrote:
 >
 >     On 3/15/19 8:16 PM, Azim Siddiqui wrote:
 >      > Hi Florence,
 >      >
 >      > Hope you are doing good. I tried the way you said. But
still, it is
 >      > showing certificate is expired.
 >      >
 >      > Let me be more clear about it.
 >      >
 >      > We have apache running with an expired certificate which is
 >     signed by
 >      > FreeIPA. Now I want to renew or create a new certificate.
So can you
 >      > please tell me how can I renew or create a new certificate
signed by
 >      > Freeipa.
 >      > As whenever I am going to the Apache URL from the browser,
it is
 >     showing
 >      > site is not secured.
 >      >
 >      > Thanks & Regards,
 >      > Azeem
 >      >
 >     Hi,
 >
 >     (re-adding freeipa-users in CC).
 >     Can you first confirm that you are referring to a cert for
the apache
 >     server *not running on one of the FreeIPA masters*?
 >
 >     Then please explain how you originally obtained the
certificate. Also
 >     include the following information:
 >     - relevant apache configuration (if using mod_ssl, then
 >     /etc/httpd/conf.d/ssl.conf or if using mod_nss,
 >     /etc/httpd/conf.d/nss.conf).
 >     - output of getcert list on the host running apache
 >
 >     flo
 >
 >      > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
 >     

[Freeipa-users] Re: timeout for IPA command

2019-03-19 Thread François Cami via FreeIPA-users 
On Tue, Mar 19, 2019 at 3:56 PM Charles Hedrick via FreeIPA-users
 wrote:
>
> It appears that the IPA command uses a host hardwired in 
> /etc/ipa/default.conf.
>
> If that fails, it then gets a list from DNS. This works fine if there’s a 
> connection refused, but if there is no response, it takes so long to time out 
> that most users will give up.
>
> Is there a way to change the timeout?

Try lowering tcp_syn_retries:
sysctl -w net.ipv4.tcp_syn_retries=4

There might be side-effects, so don't use too low a setting.

François

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] timeout for IPA command

2019-03-19 Thread Charles Hedrick via FreeIPA-users 
It appears that the IPA command uses a host hardwired in /etc/ipa/default.conf. 

If that fails, it then gets a list from DNS. This works fine if there’s a 
connection refused, but if there is no response, it takes so long to time out 
that most users will give up.

Is there a way to change the timeout?

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: urgent help needed, ipa unusable after short power cut

2019-03-19 Thread Marisa Sandhoff via FreeIPA-users 
Dear all,

thank you very much for your help.

After some more searching, I found that this command (from
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/)

[root@ipa2 ~] certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca'

shows that there is a valid certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: ...
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=PLEIADES.UNI-WUPPERTAL.DE"
Validity:
Not Before: Fri Jan 25 08:55:41 2019
Not After : Thu Jan 14 08:55:41 2021
Subject: "CN=CA Subsystem,O=PLEIADES.UNI-WUPPERTAL.DE"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:



But then I get:

[root@ipa2 ~]# grep internal /var/lib/pki/pki-tomcat/conf/password.conf
| cut -d= -f2 > /tmp/pwdfile.txt

[root@ipa2 ~]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
Object Identifier.

[root@ipa2 ~]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
Object Identifier.
[root@ipa2 ~]#



What can I do?

Thanks a lot!!!

Best regards,
Marisa



-- 
Dr. Marisa Sandhoff
Experimentelle Elementarteilchenphysik
Fakultät für Mathematik und Naturwissenschaften
Bergische Universitaet Wuppertal
Gaussstr. 20
D-42097 Wuppertal, Germany
---
marisa.sandh...@cern.ch
sandh...@physik.uni-wuppertal.de
Raum D.09.03
Phone +49 202 439 3521
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeIPA Host certs

2019-03-19 Thread Florence Blanc-Renaud via FreeIPA-users 

On 3/18/19 7:50 PM, Azim Siddiqui wrote:

Hi Florence,

Thanks for your reply.
I am referring to the applications. For example, we have 
Apache,haproxy,jenkins,git which uses certs signed by IPA. And now when 
I am browsing these applications urls. It is showing, this site is not 
secured.
And originally, This cert were created by a system admin, who is not 
working with us now. So its getting hard for me to figure out, how can I 
create or renew the certs.


And I don't see any files ssl.conf or nss.conf in the server.
The output for getcert list  command shows this :-
getcert list
Number of certificates and requests being tracked: 0.


I just want to create a crt and key file signed by IPA. So that I can 
use it for the browsers.

Hi,

please keep the users mailing list in cc, so that everyone can get 
involved/see the resolution.


It is difficult to provide advice with so few information. Can you start 
by checking which certificates were already issued by FreeIPA, and we'll 
see if they are expired?


$ kinit admin
$ ipa cert-find

With the full output and based on the subject you'll be able to identify 
the host or service certs that you are using for your applications. For 
each of these certs, run

$ kinit admin
$ ipa cert-show 
and the output will show if the cert is expired (check the Not After field).

For an expired cert, you will be able to renew the cert if you still 
have the private key. The private key location can be found by checking 
the configuration of your applications.
For instance apache on rhel or fedora stores its config in 
/etc/httpd/conf/httpd.conf, which by default loads the modules in 
conf.modules.d/*.conf and the config files in conf.d/*.conf.


flo


Thanks,
Azeem


On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > wrote:


On 3/15/19 8:16 PM, Azim Siddiqui wrote:
 > Hi Florence,
 >
 > Hope you are doing good. I tried the way you said. But still, it is
 > showing certificate is expired.
 >
 > Let me be more clear about it.
 >
 > We have apache running with an expired certificate which is
signed by
 > FreeIPA. Now I want to renew or create a new certificate. So can you
 > please tell me how can I renew or create a new certificate signed by
 > Freeipa.
 > As whenever I am going to the Apache URL from the browser, it is
showing
 > site is not secured.
 >
 > Thanks & Regards,
 > Azeem
 >
Hi,

(re-adding freeipa-users in CC).
Can you first confirm that you are referring to a cert for the apache
server *not running on one of the FreeIPA masters*?

Then please explain how you originally obtained the certificate. Also
include the following information:
- relevant apache configuration (if using mod_ssl, then
/etc/httpd/conf.d/ssl.conf or if using mod_nss,
/etc/httpd/conf.d/nss.conf).
- output of getcert list on the host running apache

flo

 > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
mailto:f...@redhat.com>
 > >> wrote:
 >
 >     On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users wrote:
 >      > Hello,
 >      >
 >      > Hope you are doing good. I have a question regarding
freeIPA host
 >      > certificates.
 >      > We are using FreeIPA as our LDAP. We have some
certificates for
 >     hosts ex
 >      > :- http/uat.com  
.
 >      > And we deploying the certs in Haproxy in PEM format.
 >      > But the certificates for this host has been expired.
 >      > Can you please let me know in detail how to renew my expired
 >      > certificates for the hosts. Please provide me the commands
and steps.
 >      >
 >     Hi,
 >
 >     from your description I understand that you are referring to
 >     certificates delivered by IPA CA for one of the IPA-enrolled
hosts, but
 >     not the master's Server-Cert used for IPA Web GUI.
 >
 >     In this case, how did you obtain the certificate? If you used
a method
 >     similar to what is described in this wiki [1], the certificate
 >     should be
 >     monitored by certmonger and automatically renewed.
 >
 >     If you followed instead this wiki [2], the certificate is not
 >     tracked by
 >     certmonger and needs to be manually renewed. You need to do the
 >     following, assuming that the cert is in a NSS database $NSSDB
on the
 >     IPA
 >     client:
 >     - find the key nickname
 >     # certutil -K -d $NSSDB
 >     certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
 >     Key and Certificate Services"
 >     Enter Password or Pin for "NSS Certificate DB":
 >     < 0> rsa      7c0646606b33ab683ee4d1790719ebc4154db0f6   NSS
 >     Certificate
 >