[Freeipa-users] Re: IPA replica with CA role problems

On Thu, Aug 03, 2017 at 06:09:22AM +1000, Fraser Tweedale wrote: > On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > > > Providing the dogtag debug log

[Freeipa-users] Re: IPA replica with CA role problems

On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > Providing the dogtag debug log might be helpful. The replica install log > > > shows that the GoDaddy CA

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: > > Hi, > > I'm playing around with keycloak and wanted to use an SSL certificate > from IPA. I've looked around but didn't see any howto about using java > keytool with ipa-getcert. Has someone experience with it? >

[Freeipa-users] Re: Can't create new CA replica

On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Since taking over our FreeIPA environment I've been unable to create a new > > CA replica. A bunch of failed attempts and upgrades over the last year and > > I keep running in to

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by > an external root CA. Problem: > > Even though I have imported the root CA and clicked on all the trust > checkboxes, chromium

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote: > On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote: > > Hi Fraser, > > > > On Fri, 11 Aug 2017 18:48:29 +1000 > > Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

[Freeipa-users] Re: Renewal of External Third Party SSL Cert

On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote: > Hi Fraser, > > Thanks for the reply. > > However I have both my IPA CA and third party CA, where IPA CA is self > signed and third party CA Signed by DigiCert. So if my SSL certificate is > going to expire next

[Freeipa-users] Re: Replication and SSL certs

On Thu, Jul 13, 2017 at 09:57:04AM -0400, Mark Haney via FreeIPA-users wrote: > On 07/12/2017 08:34 PM, Fraser Tweedale wrote: > > > > Which version(s) of FreeIPA? > ipa-server-4.4.0-14.el7.centos.7.x86_64 > > > > Which service(s) (HTTP, LDAP?). > HTTPS. I haven't checked LDAPS yet. It appears

[Freeipa-users] Re: Update signing certificate

On Thu, Jul 13, 2017 at 08:20:02AM -0400, Jeff Fouchard via FreeIPA-users wrote: > The certificates are being issued via ipa-getcert. The certificates we get > back are signed with what looks to be the old "self-signed" IPA CA > certificate. The CN is the same as the new one, but the serial /

[Freeipa-users] Re: can't upgrade IPA because of certificate alias problem

On Thu, Jul 13, 2017 at 03:02:02PM +, Charles Hedrick via FreeIPA-users wrote: > I’ve installed ipa. Originally I did the default install, without DNS. > > I then updated to a commercial cert. Notes at the end. > > I just did a yum update. isa-upgrade failed with the following error: > >

[Freeipa-users] Re: Modify default dirsrv/LDAP certificate (add SAN)

On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote: > Hi, > > I am using FreeIPAv4, some of clients products does not support LDAP failover > so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream > fail-over. > I have two FreeIPA server

[Freeipa-users] Re: still unable to renew certificates - deep trouble

On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote: > Hello, > > I'm getting desperate, I'm still unable to fix my expired certificates on > my freeIPA master. > > Summary: > >- I discovered that my web ui SSL certificate had expired. >- the certificate

[Freeipa-users] Re: Replication and SSL certs

On Fri, Jul 14, 2017 at 07:47:39AM -0400, Mark Haney via FreeIPA-users wrote: > On 07/13/2017 09:57 PM, Fraser Tweedale wrote: > > OK, I think I understand. > > > > ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been > > set up with a certificate issued by the IPA CA, which your

[Freeipa-users] Re: IPA replica with CA role problems

On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users wrote: > Prior to my employment, one of our engineers setup an IPA server to replace > the horrific OpenLDAP server. One of my first tasks was to build a second > IPA server and setup replication. Initially, the replication

[Freeipa-users] Re: Removal of obsolete certificates from o=ipaca

On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote: > Hello all, > > we are currently facing issue with huge number of outdated certificate entries > in o=ipaca LDAP subtree (many servers no longer exists, certificates already > expired etc) > and we would like to remove

[Freeipa-users] Re: expired certificates - pki-tomcat not running

On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote: > Michael Gusek via FreeIPA-users wrote: > > Hi Fraser, > > > > at the moment, i can't provide this logfile, i've moved that back to > > have only new log lines. But a new new logfile is not created ??? In my > > old logfile i have

[Freeipa-users] Re: IPA replica with CA role problems

On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote: > On 08/02/2017 04:17 PM, Fraser Tweedale wrote: > > > > > - /var/log/ipareplica-install.log from replica > > > - /etc/pki/pki-tomcat/ca/debug from both master and replica > > > > > > Those logs should do for a start. > > > > > > I'd

[Freeipa-users] Re: web UI - login failed after updates on server

On Fri, Aug 18, 2017 at 05:28:12PM +1000, Fraser Tweedale wrote: > Hi Stefan et al, > > It's hard to work out exactly what's going on. > > First make sure that all certificates including the IPA CA > certificate are within their validity period. Make sure that CA > certificate(s) have the

[Freeipa-users] Re: Certificate renewals with external CA

On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote: > I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed > with --external-ca, and the resulting CSR signed with a validity period of > 30 days to test behavior around expirations. > > Upon booting

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

On Thu, May 25, 2017 at 01:39:46PM +0200, Günther J. Niederwimmer via FreeIPA-users wrote: > Hello, > > after the mistake with Startcom CA (Class 3), now I look for a new > Certificate.. > > Is it possible and functional to install a Letsencrypt CA on a IPA-Server? > > I have found a script

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

On Tue, May 30, 2017 at 10:46:59AM -0500, Ian Pilcher via FreeIPA-users wrote: > On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: > > On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > > > I am not saying “instead of”. We are using stan

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On Wed, Sep 20, 2017 at 08:50:03AM +1000, Lachlan Musicman via FreeIPA-users wrote: > 2017-09-19T22:30:50Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-09-19T22:35:51Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade

[Freeipa-users] Re: Freeipa and Datadog

On Mon, Oct 09, 2017 at 02:29:09PM +0200, Gabriel Stein via FreeIPA-users wrote: > Hi all, > > I was discussing a issue with @ftweedal and I will continue doing some > questions here. > > I have installed Freeipa with an additional Replica Server, but to me some > concepts are not so clear. > >

[Freeipa-users] Re: Freeipa and Datadog

On Mon, Oct 09, 2017 at 02:39:57PM +0200, Gabriel Stein via FreeIPA-users wrote: > Oh, sorry for the typos... (thanks @callum) > > '/s/Datadog/Dogtag/g' > Datadog is a pretty good name though! :) > Best Regards, > > Gabriel > > Gabriel Stein > -- > Gabriel Ferraz

[Freeipa-users] Re: Which one?

On Tue, Sep 05, 2017 at 11:16:03AM -0500, Kat via FreeIPA-users wrote: > Hi all, > > Looking to proxy some applications with a reverse proxy. Want to ingrate > with IPA to do auth on the front end of the proxy so it passes kerberos > tickets to the back-end applications. Any suggestions on which

[Freeipa-users] Re: Changing case of user attributes fails

On Wed, Sep 06, 2017 at 02:05:56PM -0400, Anthony Clark via FreeIPA-users wrote: > It may possibly be related to this, but this is marked as fixed for 4.3: > https://pagure.io/freeipa/issue/5456 > > I'm on 4.4.0-14.el7.centos.7 > > A user had their lastname entry added with the wrong case. I

[Freeipa-users] Re: AWS FreeIPA install killed ?

On Sun, Aug 27, 2017 at 07:13:50AM -0400, Outback Dingo via FreeIPA-users wrote: > Done configuring directory server (dirsrv). > Configuring Kerberos KDC (krb5kdc) > [1/10]: adding kerberos container to the directory > [2/10]: configuring KDC > [3/10]: initialize kerberos container > [4/10]:

[Freeipa-users] Re: Upgrading with GoDaddy SSL cert for https only

On Wed, Oct 11, 2017 at 12:50:39PM -0400, Mark Haney via FreeIPA-users wrote: > I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7 > (along with updating C7 to 7.4) and it bombed spectacularly.  It seems the > upgrade process doesn't like the GoDaddy SSL cert we supplied

[Freeipa-users] Re: IPA CA allow CSR SAN names in external domains

On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users wrote: > Hello > > I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be > able to add SAN's for a different dns domain than exists in the IPA realm. > The dns for 'otherdomain.com' is handled by active

[Freeipa-users] Re: Seeking advice on testing ipa internal certificate renewal

On Tue, May 08, 2018 at 05:35:19PM +0100, Roderick Johnstone via FreeIPA-users wrote: > Hi > > In our current ipa implementation some of the ipa internal certificates are > not able to be renewed correctly. > > After a lot of support both from Redhat and also through this list, neither > of

[Freeipa-users] Re: CA install on replica fails - Clone URI does not match...

On Thu, May 03, 2018 at 02:25:34PM +, Ross Infinger wrote: > I assume the issue here is with the command... > https://pci-mgmt-ipa01.pci.xx.com:443/ca/admin/ca/getDomainXML > > Which returns... > domain info: standalone="no"?>IPA00 > > I notice that all the SubsystemCount values are

[Freeipa-users] Re: After using 3rd party certs (Let's Encrypt) : pki-tomcatd fails to restart

On Wed, May 09, 2018 at 03:12:37AM -, Henery Hawk via FreeIPA-users wrote: > I've followed what I thought were the instructions to install > Let's Encrypt certs on my recent FreeIPA installation but when I > restart the services I pki-tomcatd fails to restart. > > During the installs I've

[Freeipa-users] Re: PKI with IPA

Hi Maciej, I concur with the answers in Rob's reply. But I have one question. On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via FreeIPA-users wrote: > 3. How can I export the IPA revocation list so it's compliant with servers > (CRL format) > What do you mean by "compliant with

[Freeipa-users] FreeIPA wiki troubleshooting page re-org

Hi all, The troubleshooting page was getting huge and unwieldy. I have broken the various sections out into separate pages. Now the main troubleshooting page is just some high-level info/advice and a list of links to other topics. https://www.freeipa.org/page/Troubleshooting I haven't made

[Freeipa-users] [BLOG] Replacing a lost or broken CA in FreeIPA

My latest blog post looks at how to clean up and install a *new* CA within an existing FreeIPA deployment. This handles scenarios were a CA installation has failed, or the original CA has been lost (e.g. all CA replicas decommissioned). Enjoy! As usual, I am keen for whatever feedback or

[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via FreeIPA-users wrote: > Hello all, > I had an issue a short while ago with a replica which turned out to be an > expired certificate which I renewed and all seemed good. > > Seemed... > > It now appears that although the certificate

[Freeipa-users] Re: Potentially Corrupted Tomcat PKI database, recovery steps?

On Mon, Apr 30, 2018 at 11:49:09AM -0400, Brian Weaver via FreeIPA-users wrote: > After a recent power outage the IPA master server I built a few years ago > is having some issues. I've done as much troubleshooting as I can and I > think I've tracked down the issue to the certificate database in >

[Freeipa-users] Re: CA install on replica fails - Clone URI does not match...

Hi Ross, Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica? Thanks, Fraser On Thu, Apr 26, 2018 at 05:33:32PM +, Ross Infinger via FreeIPA-users wrote: > I'm installing the CA service on an existing replica with command >

[Freeipa-users] Re: Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token

On Mon, Apr 30, 2018 at 03:30:34PM +0200, H. Frenzel via FreeIPA-users wrote: > Hi, > > I tried to install a CA to the 2nd master a replicafile which was created on > the 1st master (with self-signed CA), with fails with: > > ipa : DEBUGstderr=TokenException: Failed to import >

[Freeipa-users] Re: Unable to sign CSR with multiple CN in subject

On Thu, Oct 19, 2017 at 10:40:12AM +, Joel Kåberg via FreeIPA-users wrote: > Hello > > I'm trying to sign an CSR which has multiple CN in the certificate > subject. When the certificate is signed it only contains one CN in > the subject (should be 2, site1.domain.tld and site2.domain.tld), >

[Freeipa-users] Re: Expired certificate problem

On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote: > After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at > server. Request failed with status 500: Non-2xx response from CA REST API: > 500." when certmonger tries to renew httpd/dirsrv

[Freeipa-users] Re: IPA Password Vault

get servers, and who can perform particular privileged operations on target servers. FreeIPA enables this approach. Cheers, Fraser > > Sean Hogan > > > > > > > > From: Fraser Tweedale via FreeIPA-users > <freeipa-users@lists.fedorahosted.org&g

[Freeipa-users] Re: Expired certificate problem

On Wed, Jan 10, 2018 at 04:02:57PM +0100, Giulio Casella wrote: > Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto: > > Great! I'm glad you got to the bottom of it. Just curious - were > > there / are there multiple authority entries in LDAP underneath > > o

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote: > Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto: > > "CA replica" just means any IPA master that has the Dogtag CA > > installed. > > > > You have a Dogt

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users wrote: > Hi Fraser, > > Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto: > > On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users > > wrote: > > >

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote: > Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto: > > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), > > not the FreeIPA DIT. You should check on a CA replica. > &g

[Freeipa-users] Re: Problems with KeyRetrieverClass when setting up replica with CA

On Mon, Jan 15, 2018 at 01:48:34PM +0100, Aljaž Srebrnič via FreeIPA-users wrote: > > On 15 Jan 2018, at 03:42, Fraser Tweedale > > wrote: > > > > On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users > > wrote: > >>

[Freeipa-users] Re: FreeIPA PKI with OpenVPN

On Mon, Jan 29, 2018 at 01:34:37PM +, Mike Kelly via FreeIPA-users wrote: > Hi, > > I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right > way to generate per-user certificates? (Looking to generate certs for > Android and Chrome OS, so I don't have an easy way to build a

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

t; > > > >      certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > > > cert-pki-ca',token='NSS Certificate DB' > > > > >  CA: dogtag-ipa-ca-renew-agent > > > > >  issuer

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

On Fri, Feb 02, 2018 at 01:35:38PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > Problem solved. > > Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added > permissions and selinux labels, and went back to Christmas. > > Problem still there, renewal did not

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > some certificates on our freeipa-cluster (3 servers) are have been not > renewed till now, 2 hours before expiring. Can this be a problem? > > Some of the certificates, the ones expiring show

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

On Tue, Feb 13, 2018 at 08:53:10AM +0800, Umarzuki Mochlis via FreeIPA-users wrote: > Hi, > > Is it possible to apply wildcard SSL on v3.1 to be able to migrate to > recent free-ipa? > Reason being that, I need to backdate date to year before self-signed expired. > I have not been able to renew

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

On Tue, Feb 20, 2018 at 12:41:17PM -0500, Bret Wortman via FreeIPA-users wrote: > I'll give that a try. > If you "Clear Recent History" for the domain, ensuring that "Remove Offline Data" is selected, I think that might do the trick. It's something like that, anyhow. Or choose a different CA

[Freeipa-users] Re: Creating CA replica fails

Hi Aaron, Can you please provide the contents of /var/log/pki/pki-ca-spawn.20180802044015.log, and /var/log/pki/pki-tomcat/ca/debug from both the replica (if it exists) and the master. Thanks, Fraser On Thu, Aug 02, 2018 at 05:03:54PM +1200, Aaron Hicks via FreeIPA-users wrote: > Hello the

[Freeipa-users] Re: ipa require mvn?

On Wed, Aug 08, 2018 at 02:38:39PM +0800, None via FreeIPA-users wrote: > Dear, > I tried to install ipa using "yum install -y ipa-server" in CentOS 7.2. > Since the environement cann not connect to network, i prepared an local yum > repository using iso file. > Then i encountered dependency

[Freeipa-users] [BLOG] Issuing subordinate CA certificates from FreeIPA

Hi all, There was recently discussion about how to issue sub-CA certificates to external entities in FreeIPA (i.e. not lightweight CAs which are internal to an IPA deployment). So I blogged a comprehensive HOWTO, with a discussion of the caveats/limitations.

[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

On Fri, Jul 06, 2018 at 09:21:44PM -0700, Thomas Letherby wrote: > Hello Fraser, > > The serial numbers appear to match, but if I run ipa-certupdate I get the > following: > > ipa-certupdate > trying https://server1.i.domain.net/ipa/json > Connection to https://server1.i.domain.net/ipa/json

[Freeipa-users] Re: Add SAN attributes to certificate at sign time

On Thu, Jul 12, 2018 at 09:26:09AM -, vitenbergd--- via FreeIPA-users wrote: > Hello, everyone > > I've got problem similar to: > https://serverfault.com/questions/253960/adding-subject-alternate-names-san-to-an-existing-cert-signing-request-csr > > So, there is a HP crypto device for which

[Freeipa-users] Re: Changing CA certificate subject name post-install

On Tue, Mar 20, 2018 at 08:22:53AM -0500, Kirk VanOpdorp via FreeIPA-users wrote: > I have an external CA that I need to renew due to the root CA expiring soon > and they grumbled at the CA subject last time and I suggested I would look > into changing it. I don't see any route via the

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

On Tue, Mar 06, 2018 at 10:57:16AM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Mon, Mar 05, 2018 at 04:57:52PM -, John Seekins via FreeIPA-users > wrote: > > Manually installing the cert at /etc/ipa/ca.cert and restarting > > Apache fixes the error, but it seems li

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

On Mon, Mar 05, 2018 at 04:57:52PM -, John Seekins via FreeIPA-users wrote: > Manually installing the cert at /etc/ipa/ca.cert and restarting > Apache fixes the error, but it seems like whenever a cert renewal > happens, I'll have to manually update it again. Which seems > brittle. The

[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

On Thu, Jun 28, 2018 at 06:01:18PM -0700, Thomas Letherby wrote: > Hello all, > > Here's the info: > > certutil -d /etc/dirsrv/slapd-I-domain-NET -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert

[Freeipa-users] Re: SSL Private Key Recovery

On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Creating the SSL certs/keys for for example Apache can easily be done > by using the FreeIPA Dogtag CA-server. With some effort, I put it in an > Ansible playbook which will install Apache and

[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA

On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via FreeIPA-users wrote: > Hello, > I have a FreeIPA server that is currently running as a CA only, no clients > connect, no LDAP entries have ever been made, no DNS etc... The original > ipa CA is how it was setup during the initial

[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA

On Thu, Oct 18, 2018 at 10:00:20AM -0400, Ralph Crongeyer via FreeIPA-users wrote: > Hi Fraser, > Actually my goal would be to have two identical stand alone servers. For > instance maybe add a server as a replica and then separate them from each > other, or maybe export the CA's and issued certs

[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA

On Fri, Oct 19, 2018 at 09:55:39AM -0400, Ralph Crongeyer via FreeIPA-users wrote: > We are trying to combine services and servers into FreeIPA. We have > opanldap for ldap, and a stand alone FreeIPA for CA / certs, this stand > alone has the DNS component installed, which we don't want to use in

[Freeipa-users] IPA sub-CAs; cleaning up spurious Dogtag LWCA entries

Hi Rob, (Cc freeipa-users@ for visibility) On Mon, Oct 22, 2018 at 04:12:05PM -0400, Rob Crittenden wrote: > I've gotten some upstream feedback on my cert checking tool and one user > came back with a bunch of errors: > > Error looking up CA entry in IPA aeca4a88-630d-4f47-9585-73bad089260b: >

[Freeipa-users] Re: IPA sub-CAs; cleaning up spurious Dogtag LWCA entries

On Fri, Oct 26, 2018 at 02:33:30PM +0200, Louis Lagendijk via FreeIPA-users wrote: > On Tue, 2018-10-23 at 11:23 +1000, Fraser Tweedale via FreeIPA-users > wrote: > > Hi Rob, > > > > (Cc freeipa-users@ for visibility) > > > > On Mon, Oct 22, 2018 at 04

[Freeipa-users] Re: Deployment without CA

On Wed, Oct 31, 2018 at 11:58:57AM -0400, Rob Crittenden via FreeIPA-users wrote: > Henrik Johansson via FreeIPA-users wrote: > > > > > >> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users > >> >> > wrote: > >> > >> It would create CSR

[Freeipa-users] Re: Testing requested - certificate checking tool

On Wed, Nov 07, 2018 at 01:04:05PM -0500, Rob Crittenden via FreeIPA-users wrote: > William Muriithi via FreeIPA-users wrote: > > Morning Rob > >>> What's the process for either removing or making it known? > >> > >> I'll add something to the program about this too but for now you can run: > >> >

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

On Wed, Nov 07, 2018 at 01:05:24PM -0500, Rob Crittenden via FreeIPA-users wrote: > Peter Oliver via FreeIPA-users wrote: > > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: > > CertUserDBAuthentication: cannot map certificate to any userUser not found > >

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

On Wed, Nov 07, 2018 at 06:27:51PM -, Zarko D via FreeIPA-users wrote: > Okay, we know cert has expired, but I am configuring basic auth for PKI, so > why is this relevant now? > The basic/cert auth is related to how Dogtag authenticates to the the database. The self-test checks the

[Freeipa-users] Re: Removal & clean up certificates from o=ipaca

On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote: > Hello all, > Hi David, > I have to clean up lot of useless certificate in dirsrv database. > Because of resubmit loop on Certmonger client, i have 99,9% of certificate in > dirsrv database that are useless and not

[Freeipa-users] Re: Issues installing replica

Hi Alex, (Cc some other engineers for Dogtag cloning troubleshooting exposure). Thanks for the additional logs. Can we please see [temporally relevant snippets of] any other log files under /var/log/pki/pki-tomcat and /var/log/pki/pki-tomcat/ca , as well as the journal (`journalctl -u

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

On Thu, Nov 08, 2018 at 06:03:27AM -, Zarko D via FreeIPA-users wrote: > Thank you Fraser for the support. > 'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no > problem here. > But I am afraid I can't find common date for remaining four certs. As per > bellow data: >

[Freeipa-users] Re: yubikey csr not working

On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users wrote: > Natxo Asenjo via FreeIPA-users wrote: > > hi, > > > > I am testing smartcard authentication with a yubikey neo like described > > in > >

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

On Thu, Nov 08, 2018 at 11:39:41AM +, Peter Oliver wrote: > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > Do the 'userCertificate', 'description' and 'seeAlso' attributes > > match the IPA RA certificate

[Freeipa-users] Re: Issues installing replica

On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote: > On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote: > > > This is not timestamped, but I guess it is the thing. Weird, I don't > > remember my provisioning does anything JRE-related, but I will do some > > digging

[Freeipa-users] Re: CA master reinstall via replication

On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote: > On Tue, 13 Nov 2018, Fraser Tweedale wrote: > > > Can you please clarify, what is the procedure to rebuild the master > > via replication? > > Honestly, no, as there isn't any clearly documented way to do this ;) > >

[Freeipa-users] Re: CA master reinstall via replication

On Mon, Nov 12, 2018 at 03:55:13PM -0500, Rob Foehl via FreeIPA-users wrote: > If I have a pair of IPA servers and need to reinstall the one currently > holding the CA master, is it actually necessary to promote the other one, or > can I just follow the procedure to rebuild the current master via

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

On Fri, Nov 09, 2018 at 01:43:37PM +, Peter Oliver via FreeIPA-users wrote: > On Thu, 8 Nov 2018, 22:29 Fraser Tweedale > > > > > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > > > > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > > > Do the 'userCertificate',

[Freeipa-users] Re: Issues installing replica

On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users wrote: > Might this be related to: > > https://pagure.io/freeipa/issue/7654 > > Maybe? > Possibly. Need the HTTP access log, the Dogtag access log (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag debug

[Freeipa-users] Re: FreeIPA - it it the right solution for me?

On Fri, Nov 02, 2018 at 02:02:03PM -, 74cmonty via FreeIPA-users wrote: > Hi, > I consider to deploy FreeIPA in my home network. > In this network I run several servers and workstations with both Linux and > Windows. > In addition I have setup some Webservices running in containers (LXC). > I

[Freeipa-users] Re: Contribute to a HowTO

On Fri, Nov 02, 2018 at 12:50:46PM -, Peter Tselios via FreeIPA-users wrote: > OK, it might be stupid, but how do I add a new page in the Wiki. I > cannot find any "Create/Add/Edit" (or anything similar) link on > the pages! > You have to log in before those links appear. Cheers, Fraser

[Freeipa-users] Re: Replica install on RPI3

Dogtag CA is a massive enterprise Java program. Can't do much about it. Run a CA-less deployment, or run a CA-ful deployment with RaspberryPi replicas having no CA, and CA replicas running on machines with more memory and more grunt. Cheers, Fraser On Sun, Nov 04, 2018 at 04:04:27PM +0100,

[Freeipa-users] Re: SSL Private Key Recovery

le) to issue short-lived certificates, thus avoid the need to revoke (or if you revoke, limiting the time the certificate appears in a CRL). Cheers, Fraser > > Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24: > > On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via &

[Freeipa-users] Re: external ocsp ?

On Mon, Oct 01, 2018 at 06:05:42PM -0400, veer Schlansky via FreeIPA-users wrote: > My company's PIV/AD credintial is u...@example.com. We set up our IPA > credintial as u...@linux.example.com > > example.com and linux.example.com are completedly seperated domain/realms, > no trust or

[Freeipa-users] Re: issues while switching to other root CA

On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote: > Hi All, > > We are using our own (selfsigned) root CA for our installations. We just > started to use ipa and after exploring the possibilities we want to switch > to the root CA we normally use. According to [1]

[Freeipa-users] Re: Cannot import certificate signed by MS-CA - subject mismatch

On Thu, Sep 06, 2018 at 10:00:00AM -, Peter Tselios via FreeIPA-users wrote: > Hello, > I want to use the company's MS-CA as the single CA and thus I had to change > the FreeIPA certificate. > The process was smooth until the point of importing the certificate in the > FreeIPA. > I got

[Freeipa-users] Re: CSR misses Country information

On Wed, Sep 12, 2018 at 02:36:23PM -, Peter Tselios via FreeIPA-users wrote: > I talked with some friends. It looks like the only way to alter > this information is during the installation only (when you specify > an external CA) and there is no way to change it afterwards. That's correct.

[Freeipa-users] Re: issues while switching to other root CA

Hi Wim, Sorry for delayed reply. I was on leave for a few weeks. Glad you reached a happy outcome. It seems irrelevant now but FWIW I was not able to access the files on Google Drive. Cheers, Fraser On Wed, Sep 12, 2018 at 11:50:44AM +0200, Wim Vinckier via FreeIPA-users wrote: > Hi, > > We

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

Jason, Could you please attach the latest PKI debug log from /var/log/pki/pki-tomcat/ca/ - everything from the beginning of startup to where it hangs? Thanks, Fraser On Sat, Dec 29, 2018 at 11:07:07PM -, Jason Wood via FreeIPA-users wrote: > This is on all 4 systems having the issue > ipa

[Freeipa-users] Re: Trouble with pki-tomcat

On Fri, Dec 14, 2018 at 03:52:58PM +0100, Arjen Heidinga via FreeIPA-users wrote: > Dear all, > > I fear somehow my freeipa server is broken. Perhaps it is time to create > a new one, however that would be very time-consuming. > > Yesterday everything broke, after FreeIPA was upgraded. It is

[Freeipa-users] Re: OCSP responses for an external CA

Hi Andrew, Responses inline. On Wed, Nov 28, 2018 at 05:35:11PM -0800, Andrew C Dingman via FreeIPA-users wrote: > Hi, all > > I'm not sure the following is feasible, but IHAC who may want to use > IPA in an air-gapped network while relying on smart card authentication > using certificates

[Freeipa-users] Re: Host vs. service certificates

On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote: > On Tue, 4 Dec 2018, Fraser Tweedale wrote: > > > No significant differences for most use cases. If using only host > > principals works for you, go ahead. > > Probably should've tried it first... A request like

[Freeipa-users] Re: Host vs. service certificates

On Mon, Dec 03, 2018 at 06:23:04PM -0500, Rob Foehl via FreeIPA-users wrote: > Are there any practical differences between IPA-issued certificates for > hosts and services (ipa-getcert -K service/hostname for the latter), if > they're only being used to identify the host in a non-Kerberos-aware

[Freeipa-users] Re: NoClassDefFoundError: javax/annotation/Priority

This can sometimes occur when there are mismatched versions of java libraries. Is every Java-related package (especially resteasy and tomcat packages) at the latest version? Cheers, Fraser On Fri, Dec 07, 2018 at 04:54:06PM +0100, Milos Cuculovic via FreeIPA-users wrote: > Trying to run pki

[Freeipa-users] Re: yubikey csr not working

On Fri, Nov 09, 2018 at 07:42:36AM +0100, Natxo Asenjo via FreeIPA-users wrote: > On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale wrote: > > > > > Naxto, could you please provide Dogtag debug log from > > /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in > > the journal at the

[Freeipa-users] Re: Certificate Issue on IPA server

On Wed, Dec 05, 2018 at 11:37:36AM -0500, Christopher Young wrote: > Ok. (Again, I apologize for all the previous messages). > > I found the record after JUST starting up the directory on my 'ipa02' > system (the one with the pki-tomcat starting issues). I exported out > a LDIF and imported

[Freeipa-users] Re: Certificate Issue on IPA server

Hi Christopher, I agree with Rob that replication issue is the most likely cause. If there were replication issues, depending on your topology there may be serial/request ID range conflicts too. But the most critical issue is the about-to-expire certificate. A couple of quick points/questions:

  1   2   3   >