[Freeipa-users] Re: Centos 7 after unroll and join to new server authorization doesn’t work
Yes, you are right, I bring up on same domain and realm. Thanks for informing me. On Fri, Jan 31, 2020, 17:22 Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Fri, Jan 31, 2020 at 06:03:50AM -0800, Petar Kozić via FreeIPA-users > wrote: > > But this help me: > > > > systemctl stop sssd > > > > rm -rf /var/lib/sss/db/* > > Hi, > > when you say 'join client to dirsrv002' I guess you run a new and separate > IPA > domain/instance on 'dirsrv002'. If you used the same domain and realm name > for > both instance most probably your old but still valid Kerberos ccache > /var/lib/sss/db/ccache_IPA.REALM was still in this directory and SSSD > tried to > authenticate to the new domain with the credentials from the old. > > bye, > Sumit > > > > > systemctl restart sssd > > > > > > *—* > > > > *Petar Kozić* > > > > Hi, > > > > On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users > > wrote: > > > > > > Hi, > > > I have one IPA server dirsrv001 and newone dirsrv002 > > > > > > dirsrv001 is old server from where I want to unroll my VPS’s and join > to > > new server. I do some testing with Ubuntu VPS’s and that works perfect. > > > > > > I have problem with one Centos 7 server. > > > I join client to dirsrv002 without problems but when I want to login I > > login over ssh but I can’t do sudo. Ask me for pass and than three times > > and that is. > > > Sudo permission on IPA server is configured as well because works on > > other. > > > > > > If I run on that Centos client command: > > > kinit my_username > > > > > > and when I enter pass everything is ok. > > > > > > If I check syslog, I get this error: > > > > > > [sssd[krb5_child[8541]]]: Key version is not available > > > > > > I found that is problem with /etc/krb5.keytab file. But I tried to > unroll > > client, move that file and join again, problem was same. > > > > > > Please, does someone have some idea? > > > > I would make sure all client caches were cleaned up, like: > > ~/.cache/ipa/ > > > > François > > > > > > There is no one .cache folder under ~/home/ > > I have several users which connect but no one don’t have that .cache > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] files to omit from backup
We currently do rsync backups of our server. On an MIT server, you’d want to omit the stash file. But IPA doesn’t use that. Is there anything like that that should be omitted? I’m not sure just how freeipa bootstraps trust when it starts up. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replica not renewing IPA certificates
On 31/01/2020 13:25, Florence Blanc-Renaud wrote: On 1/31/20 2:03 PM, Roderick Johnstone via FreeIPA-users wrote: Hi This is freeipa (ipa-server-4.6.5-11.el7_7.3.x86_64) on RHEL7 with freeipa's own internal CA. One of my ipa server replicas (host3) has not renewed its IPA system certificates and is now showing ca-error: Invalid cookie: u'' in the 'getcert list' output for certificates: "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca", "subsystemCert cert-pki-ca", and the certificate in the file /var/lib/ipa/ra-agent.pem As far as I can see, the sequence of events has been as follows: host3 noticed the certificates needed renewing at 30 Jan 2020 05:37 and certmonger initiated a renewal. The state of those certificates went from MONITORING to CA_WORKING but the certificates were not renewed. The CA renewal master (host1) noticed its same set of certificates (plus "Server-Cert cert-pki-ca") needed renewing at 30 Jan 2020 07:28 and renewed them successfully. Another replica (host2) noticed that its certificates needed renewing at 30 Jan 2020 07:32 and renewed them successfully. At 30 Jan 13:37 on host3 the certificates needing to be renewed went from CA_WORKING back to MONITORING, but 'getcert list' now shows them with: ca-error: Invalid cookie: u'' and they still haven't renewed. Hi the 'Invalid cookie' error message is an issue already tracked in ticket 8164 Renewed certs are not picked up by IPA CAs [1]. When a replica tries to renew a cert before the renewal master, the output of getcert list should be 'CA-WORKING' and certmonger should retry 8 hours laters (see the code in [2]). Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit. HTH, flo Hi Flo Thank you very much! The getcert resubmit has successfully renewed all the certificates in need of renewal. The comments from Rob on the commit to fix this issue are very helpful in understanding what is happening too. Roderick [1] https://pagure.io/freeipa/issue/8164 [2] https://pagure.io/freeipa/blob/b5b9efeb57c010443c33c6f14f831abdbd804e78/f/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in#_370 I haven't seen certmonger attempt to try the renewal again on host3 (nothing from certmonger in /var/log/messages since 30 Jan 13:37). While I could try a getcert resubmit on host3 to force it to try again, I'd like to know if what I am seeing is the expected behaviour when a replica tried to renew certificates before the renewal master. How long should I have to wait till certmonger on host3 tries again? - I couldn't find any reference to how often certmonger tries the renewal. Rob Crittenden's freeipa-healthcheck script is now showing the following for host3: ERROR: ipahealthcheck.ipa.certs.IPARAAgent: RA agent description does not match 2;16;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM in LDAP and 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM expected ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040924: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040920: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040921: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040922: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040923: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040925: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040927: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040926: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180831064406: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) Each of host1, host2 and host3 are showing serial number 16 in ldap using: ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca
[Freeipa-users] Re: Centos 7 after unroll and join to new server authorization doesn’t work
But this help me: systemctl stop sssd rm -rf /var/lib/sss/db/* systemctl restart sssd *—* *Petar Kozić* Hi, On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users wrote: > > Hi, > I have one IPA server dirsrv001 and newone dirsrv002 > > dirsrv001 is old server from where I want to unroll my VPS’s and join to new server. I do some testing with Ubuntu VPS’s and that works perfect. > > I have problem with one Centos 7 server. > I join client to dirsrv002 without problems but when I want to login I login over ssh but I can’t do sudo. Ask me for pass and than three times and that is. > Sudo permission on IPA server is configured as well because works on other. > > If I run on that Centos client command: > kinit my_username > > and when I enter pass everything is ok. > > If I check syslog, I get this error: > > [sssd[krb5_child[8541]]]: Key version is not available > > I found that is problem with /etc/krb5.keytab file. But I tried to unroll client, move that file and join again, problem was same. > > Please, does someone have some idea? I would make sure all client caches were cleaned up, like: ~/.cache/ipa/ François There is no one .cache folder under ~/home/ I have several users which connect but no one don’t have that .cache ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Centos 7 after unroll and join to new server authorization doesn’t work
Hi, On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users wrote: > > Hi, > I have one IPA server dirsrv001 and newone dirsrv002 > > dirsrv001 is old server from where I want to unroll my VPS’s and join to new server. I do some testing with Ubuntu VPS’s and that works perfect. > > I have problem with one Centos 7 server. > I join client to dirsrv002 without problems but when I want to login I login over ssh but I can’t do sudo. Ask me for pass and than three times and that is. > Sudo permission on IPA server is configured as well because works on other. > > If I run on that Centos client command: > kinit my_username > > and when I enter pass everything is ok. > > If I check syslog, I get this error: > > [sssd[krb5_child[8541]]]: Key version is not available > > I found that is problem with /etc/krb5.keytab file. But I tried to unroll client, move that file and join again, problem was same. > > Please, does someone have some idea? I would make sure all client caches were cleaned up, like: ~/.cache/ipa/ François There is no one .cache folder under ~/home/ I have several users which connect but no one don’t have that .cache ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Centos 7 after unroll and join to new server authorization doesn’t work
Hi, On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users wrote: > > Hi, > I have one IPA server dirsrv001 and newone dirsrv002 > > dirsrv001 is old server from where I want to unroll my VPS’s and join to new > server. I do some testing with Ubuntu VPS’s and that works perfect. > > I have problem with one Centos 7 server. > I join client to dirsrv002 without problems but when I want to login I login > over ssh but I can’t do sudo. Ask me for pass and than three times and that > is. > Sudo permission on IPA server is configured as well because works on other. > > If I run on that Centos client command: > kinit my_username > > and when I enter pass everything is ok. > > If I check syslog, I get this error: > > [sssd[krb5_child[8541]]]: Key version is not available > > I found that is problem with /etc/krb5.keytab file. But I tried to unroll > client, move that file and join again, problem was same. > > Please, does someone have some idea? I would make sure all client caches were cleaned up, like: ~/.cache/ipa/ François > — > Petar Kozić > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Centos 7 after unroll and join to new server authorization doesn’t work
Hi, I have one IPA server dirsrv001 and newone dirsrv002 dirsrv001 is old server from where I want to unroll my VPS’s and join to new server. I do some testing with Ubuntu VPS’s and that works perfect. I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I login over ssh but I can’t do sudo. Ask me for pass and than three times and that is. Sudo permission on IPA server is configured as well because works on other. If I run on that Centos client command: kinit my_username and when I enter pass everything is ok. If I check syslog, I get this error: [sssd[krb5_child[8541]]]: Key version is not available I found that is problem with /etc/krb5.keytab file. But I tried to unroll client, move that file and join again, problem was same. Please, does someone have some idea? *—* *Petar Kozić* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replica not renewing IPA certificates
On 1/31/20 2:03 PM, Roderick Johnstone via FreeIPA-users wrote: Hi This is freeipa (ipa-server-4.6.5-11.el7_7.3.x86_64) on RHEL7 with freeipa's own internal CA. One of my ipa server replicas (host3) has not renewed its IPA system certificates and is now showing ca-error: Invalid cookie: u'' in the 'getcert list' output for certificates: "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca", "subsystemCert cert-pki-ca", and the certificate in the file /var/lib/ipa/ra-agent.pem As far as I can see, the sequence of events has been as follows: host3 noticed the certificates needed renewing at 30 Jan 2020 05:37 and certmonger initiated a renewal. The state of those certificates went from MONITORING to CA_WORKING but the certificates were not renewed. The CA renewal master (host1) noticed its same set of certificates (plus "Server-Cert cert-pki-ca") needed renewing at 30 Jan 2020 07:28 and renewed them successfully. Another replica (host2) noticed that its certificates needed renewing at 30 Jan 2020 07:32 and renewed them successfully. At 30 Jan 13:37 on host3 the certificates needing to be renewed went from CA_WORKING back to MONITORING, but 'getcert list' now shows them with: ca-error: Invalid cookie: u'' and they still haven't renewed. Hi the 'Invalid cookie' error message is an issue already tracked in ticket 8164 Renewed certs are not picked up by IPA CAs [1]. When a replica tries to renew a cert before the renewal master, the output of getcert list should be 'CA-WORKING' and certmonger should retry 8 hours laters (see the code in [2]). Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit. HTH, flo [1] https://pagure.io/freeipa/issue/8164 [2] https://pagure.io/freeipa/blob/b5b9efeb57c010443c33c6f14f831abdbd804e78/f/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in#_370 I haven't seen certmonger attempt to try the renewal again on host3 (nothing from certmonger in /var/log/messages since 30 Jan 13:37). While I could try a getcert resubmit on host3 to force it to try again, I'd like to know if what I am seeing is the expected behaviour when a replica tried to renew certificates before the renewal master. How long should I have to wait till certmonger on host3 tries again? - I couldn't find any reference to how often certmonger tries the renewal. Rob Crittenden's freeipa-healthcheck script is now showing the following for host3: ERROR: ipahealthcheck.ipa.certs.IPARAAgent: RA agent description does not match 2;16;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM in LDAP and 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM expected ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040924: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040920: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040921: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040922: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040923: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040925: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040927: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040926: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180831064406: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) Each of host1, host2 and host3 are showing serial number 16 in ldap using: ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca description At this stage I'm not sure whether this will resolve itself when certmonger tries to renew certificates again or whether I need to be more proactive. I'm happy to supply more logs as necessary. Thanks Roderick ___ FreeIPA-users mailing list --
[Freeipa-users] Replica not renewing IPA certificates
Hi This is freeipa (ipa-server-4.6.5-11.el7_7.3.x86_64) on RHEL7 with freeipa's own internal CA. One of my ipa server replicas (host3) has not renewed its IPA system certificates and is now showing ca-error: Invalid cookie: u'' in the 'getcert list' output for certificates: "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca", "subsystemCert cert-pki-ca", and the certificate in the file /var/lib/ipa/ra-agent.pem As far as I can see, the sequence of events has been as follows: host3 noticed the certificates needed renewing at 30 Jan 2020 05:37 and certmonger initiated a renewal. The state of those certificates went from MONITORING to CA_WORKING but the certificates were not renewed. The CA renewal master (host1) noticed its same set of certificates (plus "Server-Cert cert-pki-ca") needed renewing at 30 Jan 2020 07:28 and renewed them successfully. Another replica (host2) noticed that its certificates needed renewing at 30 Jan 2020 07:32 and renewed them successfully. At 30 Jan 13:37 on host3 the certificates needing to be renewed went from CA_WORKING back to MONITORING, but 'getcert list' now shows them with: ca-error: Invalid cookie: u'' and they still haven't renewed. I haven't seen certmonger attempt to try the renewal again on host3 (nothing from certmonger in /var/log/messages since 30 Jan 13:37). While I could try a getcert resubmit on host3 to force it to try again, I'd like to know if what I am seeing is the expected behaviour when a replica tried to renew certificates before the renewal master. How long should I have to wait till certmonger on host3 tries again? - I couldn't find any reference to how often certmonger tries the renewal. Rob Crittenden's freeipa-healthcheck script is now showing the following for host3: ERROR: ipahealthcheck.ipa.certs.IPARAAgent: RA agent description does not match 2;16;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM in LDAP and 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM expected ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040924: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040920: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040921: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040922: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040923: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040925: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040927: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040926: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180831064406: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) Each of host1, host2 and host3 are showing serial number 16 in ldap using: ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca description At this stage I'm not sure whether this will resolve itself when certmonger tries to renew certificates again or whether I need to be more proactive. I'm happy to supply more logs as necessary. Thanks Roderick ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: shouldn't freeipa work by default?
Hi, On Fri, Jan 31, 2020 at 8:04 AM Harald Dunkel via FreeIPA-users wrote: > > Hi folks, > > *ipa help topics* gives me > > # ipa help topics > ipa: ERROR: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. > Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8". > # env | egrep LANG\|LC > # echo $? > 1 > > Shouldn't the command line interface work by default? Why not silently > assume UTF-8 and continue? We'd rather fail early and print that warning which lets the admin fix the issue. You can see the rationale in the upstream ticket: https://pagure.io/freeipa/issue/5887 François > Printing a warning might be OK. > > > Regards > Harri > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate
It seems that the reason of the problem is in "404...The requested resource is not available" when ipa tryies to renew the certificate with request https://ipa0.domain.com:8443/ca/agent/ca/profileReview When I try it certificate is good but the result is 404... Are there any ideas where to look? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
