[Freeipa-users] Re: web interface: show all instead of just 20 entries?

Hi Petr, On Wed, 2 Aug 2017 12:48:32 +0200 Petr Vobornik via FreeIPA-users wrote: > > Hello, > > 20 was a hard-coded paging limit. Since FreeIPA 4.5 (not sure if also > in 4.4) the paging limit can be configured in Web UI under: "Top-right > corner

[Freeipa-users] howto replace an externally signed CA

Hi folks, Problem: I have setup freeipa using a bad external CA. Long story: I have setup my freeipa servers using ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca --subject="O=example AG,C=DE" --setup-dns --forwarder=... on ipa1.example.com. It created a csr, it was

[Freeipa-users] PKI debug files are not rotated

Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\ pki/pki-tomcat/ca/CS.cfg, setting debug.append=true

[Freeipa-users] Chromium complains about ipa's web server certificate

Hi folks, My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by an external root CA. Problem: Even though I have imported the root CA and clicked on all the trust checkboxes, chromium complains about the certificate of the web admin interface running on https://ipa1.example.com/ :

[Freeipa-users] Re: howto replace an externally signed CA

Hi Flo, On Thu, 10 Aug 2017 17:21:19 +0200 Florence Blanc-Renaud wrote: > On 08/10/2017 04:47 PM, Harald Dunkel wrote: > > Hi folks, > > > > On Wed, 2 Aug 2017 16:24:00 +0200 > > Florence Blanc-Renaud wrote: > > > >> Hi, > >> > >> You can follow the steps

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

Hi Fraser, On Fri, 11 Aug 2017 18:48:29 +1000 Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users > wrote: > > > > https://support.google.com/chrome/a/answer/7391219

[Freeipa-users] Re: sssd providing dns cache?

On Fri, 7 Jul 2017 08:27:53 + "wouter.hummelink--- via FreeIPA-users" wrote: > No, > I would suggest to add it. > But you can use nscd with [services passwd group netgroup] caches disabled. > I saw the documentation about this on RedHat's wiki,

[Freeipa-users] Re: howto replace an externally signed CA

Hi Flo, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: > Hi, > > You can follow the steps described here: >

[Freeipa-users] Re: AIX 7.1 as IPA Client

On Thu, 14 Sep 2017 11:09:22 +0200 Ronald Wimmer via FreeIPA-users wrote: > Does anyone have AIX 7 IPA Clients? Is there also an IPA client > installer around or do I have to go through this: > > https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients

[Freeipa-users] Re: ipa-getkeytab: PrincipalName not found

Hi Alex, On Fri, 10 Nov 2017 16:59:07 +0200 Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote: > > > >ipa-getkeytab failed with > > > > Failed to parse result:

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Flo, Rob, On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote: The files should contain multiple certificates (IPA CA and the external CA certificates). If it is not the case, please check first if there were AVC issues (if running in SElinux enforcing mode), and feel free

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Flo, On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote: My concern is, it looks much more restricted than the old root CA cerificate: # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attributes

[Freeipa-users] Re: ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

to the new root CA. Would anybody mind to fix? Thanx very much Harri On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > a few months ago I had replaced the externally signed root > certificate on my servers (CentOS 7.3) using ipa-cacert-manage. > Problem:

[Freeipa-users] Re: ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

Hi Charles, On 11/16/17 7:59 PM, Charles Hedrick via FreeIPA-users wrote: > I’ve seen the same thing. Or at least I think it seems like it’s related. > > We have three servers, all on Centos. The initial one was installed under > 7.3, using defaults. That caused it to generate a self-signed CA.

[Freeipa-users] ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

Hi folks, a few months ago I had replaced the externally signed root certificate on my servers (CentOS 7.3) using ipa-cacert-manage. Problem: ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy, freeipa 3.0.2) fails. Apparently it stumbles over the old root certificate: #

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Flo and Andrew, thanx for you replies, but I think you missed the point: The new (external) root CA certificate and the new ipa CA certificate are *in* freeipa already, but on the host I had used for running ipa-cacert-manage to deploy this new PKI the database in

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Flo, On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote: Hi Harald, the external CAs and FreeIPA CA must be stored in the LDAP server (cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add external CAs to the LDAP server is to run ipa-cacert-manage install. ACK You need

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Rob, On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: Here is what I see on the broken ipa server: [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/7/17 2:53 PM, Florence Blanc-Renaud wrote: Hi, if you run: ipa-cacert-manage install -t C,, ipa-certupdate then the new root certificate will be installed in all the required NSS databases. Do not forget to run ipa-certupdate on all the FreeIPA machines. This did not work:

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

PS: I have derived another CA replica "ipa0" from ipa2. certutil shows different trustargs again. Shouldn't ipa2 and the new ipa0 have identical trustargs? [root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Rob, On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote: > Harald Dunkel via FreeIPA-users wrote: >> See attachment. >> >> Please note the "invalid certificate". Du you remember the thread >> on freeipa-devel about "ipa-client-install (3.0.2

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

See attachment. Please note the "invalid certificate". Du you remember the thread on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage" and the output of "ipa-certupdate -v" I had posted? Regards Harri debug.txt.gz

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Flo, On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > I would try to remove the new root CA from LDAP and re-import it using > ipa-cacert-manage install -t C,, > This should create the entry with the appropriate attributes. > > Flo Result: The new root CA

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi folks, any ideas about how to proceed? Is this bbr? Do I have to reactivate the old pki to get out of this mess? Every helpful comment is highly appreciated. Harri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Flo, On 12/12/17 2:50 PM, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote: Hi, I would try to remove the new root CA from LDAP and re-import it using

[Freeipa-users] worst nightmare come true: ipa service doesn't start anymore

Hi folks, Platform: Centos 7.4, ipa 4.5.0-21 The ipa service cannot be started anymore. Error message: # systemctl status ipa * ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code)

[Freeipa-users] Re: ipa-cacert-manage vs NIS support

On Fri, 20 Oct 2017 20:42:25 +0300 Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > On pe, 20 loka 2017, Harald Dunkel via FreeIPA-users wrote: > >Hi folks, > > > >I had to replace the CA chain about 3 months ago, using >

[Freeipa-users] Re: certmonger upgrade failure

Hi Rob, On 6/25/18 4:53 PM, Rob Crittenden via FreeIPA-users wrote: > > We'd need to see what certs are being tracked, getcert list. > This gets stuck, too: [root@ipa1 ~]# getcert list Error org.freedesktop.DBus.Error.TimedOut I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but

[Freeipa-users] Re: certmonger upgrade failure

Hi Rob, On 6/25/18 7:10 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but the conclusion ("please reboot") is not helpful. I did. The dbus developers don't think it should ever be res

[Freeipa-users] certmonger upgrade failure

Hi folks, I managed to get rid of the corrupted entry and to create a new user account. But there are still problems. The upgrade from Centos 7.4 to 7.5 got stuck for 5 to 10 minutes. : Installing : libxkbcommon-0.7.1-1.el7.x86_64 297/787 Updating :

[Freeipa-users] Re: ipa user-mod --rename failed

Hi Thierry, On 6/20/18 6:02 PM, thierry bordaz via FreeIPA-users wrote: > Hi Harald, > > I wonder if error on ipa1 can not be part of the problem > > [20/Jun/2018:12:16:31.885644563 +0200] - ERR - ldbm_back_modrdn - > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set >

[Freeipa-users] Re: certmonger upgrade failure

On 6/28/18 2:19 PM, Harald Dunkel via FreeIPA-users wrote: The dbus problem has been resolved by reinstalling the dbus RPMs. journalctl still shows a lot of "Connection refused" messages for dbus, see attachment. certmonger appears to be running when started on the command

[Freeipa-users] ipa-cacert-manage vs NIS support

Hi folks, I had to replace the CA chain about 3 months ago, using ipa-cacert-manage. Question: Does this affect freeipa's NIS support? Is there a hidden certificate somewhere I missed to renew? The freeipa servers are running Centos 7.3 and 7.4. Every helpful comment is highly appreciated

[Freeipa-users] Re: mailing list archive out of date

On Fri, 20 Oct 2017 12:30:50 +0200 Rob Crittenden via FreeIPA-users wrote: > > the list moved earlier this year to > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/ > Thanx very much for your pointer. Apparently the old

[Freeipa-users] Re: certmonger upgrade failure

Hi folks, On 6/28/18 9:08 AM, Harald Dunkel via FreeIPA-users wrote: On 6/27/18 5:59 PM, Rob Crittenden via FreeIPA-users wrote: I don't see anything obviously wrong. I'd try launching certmonger from a shell to see what you get: # certmonger -d 9 certmonger works fine on the command line

[Freeipa-users] Re: how to avoid ntpd?

On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote: That's fine but it doesn't address the original problem: he doesn't want anything managing the clock on his system at all: "some ipa servers in my environment are not permitted to change the clock." These are LXC containers

[Freeipa-users] how to avoid ntpd?

Hi folks, some ipa servers in my environment are not permitted to change the clock. If I use "systemctl mask ntpd" to avoid the "degraded" returned by "systemctl status", then ipactl fails without the ntpd service: # ipactl restart Stopping pki-tomcatd Service Restarting Directory Service

[Freeipa-users] ERR - attrlist_replace - attr_replace

Hi folks, /var/log/messages includes tons of error messages like Jan 15 07:34:56 ipa1 ns-slapd: [15/Jan/2018:07:34:56.684472891 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:58 ipa1 ns-slapd:

[Freeipa-users] ipa user-mod --rename failed

Hi folks, something got corrupted in my ldap database (again). After running % ipa user-mod --rename=bobk bobs I get % getent passwd bobs % getent passwd bobk % The UID became unusable. (Highly painful, because this user is cut off from EMails.) This is what I

[Freeipa-users] Re: ipa user-mod --rename failed

PS: Running ipa-replica-manage force-sync --from ipa0.example.de to sync a "good" replica to a bad one did not help. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: ipa user-mod --rename failed

Hi Thierry, On 6/20/18 3:31 PM, thierry bordaz via FreeIPA-users wrote: Hi Harald, anything noticeable in the error logs when the problem occurred ? (DB_DEADLOCK) I found something in the slapd error log files on the bad replicas (attached). Other replicas show tons of lines like :

[Freeipa-users] Re: ipa user-mod --rename failed

On 6/22/18 2:09 PM, Harald Dunkel wrote: I found something new: "ipa-replica-manage list-ruv" shows an error # ipa-replica-manage list-ruv unable to decode: {replica 7} 58809c7c00030007 58809c7c00030007 PS: Never mind, that was an old problem. I just forgot. Regards Harri

[Freeipa-users] Re: ipa user-mod --rename failed

Hi Thierry, On 6/21/18 7:19 PM, thierry bordaz via FreeIPA-users wrote: Hi Harald, Sorry to be back late. There is not enough detail to confirm but my feeling is that the MODRDN (write) failed to update the changelog because of many replication agreements (read) competing with it. It

[Freeipa-users] Re: confused about ipa-dns-install not creating reverse zone

PS: The logfile says 2018-08-03T08:25:31Z INFO Checking DNS domain 10.0.10.in-addr.arpa., please wait ... 2018-08-03T08:26:01Z INFO Reverse zone 10.0.10.in-addr.arpa. for IP address 10.0.10.7 already exists But I doubt that this is correct. dig returns [root@idms00 centos]# dig -x 10.0.10.7

[Freeipa-users] sssd is going down and up and down and up and down and ... until it breaks

Hi folks, Apparently sssd goes down and up again and again. I found this in /var/log/daemon.log on our git server: Jul 23 18:02:08 git01 sssd[be[example.de]]: Shutting down Jul 23 18:02:08 git01 sssd[pam]: Shutting down Jul 23 18:02:08 git01 sssd[nss]: Shutting down Jul 23 18:02:09 git01

[Freeipa-users] confused about ipa-dns-install not creating reverse zone

Hi folks, I am confused: Setting up a new freeipa service (CentOS 7.5) using ipa-server-install or ipa-dns-install it asks me Do you want to search for missing reverse zones? [yes]: yes But then it did not create a reverse zone :-(. This doesn't look like documented. There is no

[Freeipa-users] Do you want to search for missing reverse zones?

Hi folks, I am confused: Setting up a new freeipa service (CentOS 7.5) using ipa-server-install or ipa-dns-install it asks me Do you want to search for missing reverse zones? [yes]: yes But then it did not create a reverse zone :-( This doesn't look like

[Freeipa-users] openldap and freeipa

Hi folks, apparently openldap-server is considered as deprecated by RedHat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-deprecated_functionality I wonder what this means for Freeipa? Will all of

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

Hi Thierry, On 03/12/18 17:52, thierry bordaz via FreeIPA-users wrote: Hi Harald, What version of DS are you running ? We have a reproducer (not systematic) for versions before https://bugzilla.redhat.com/show_bug.cgi?id=1516309 but we have not reproduced it since then, you may need to

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

PS: I see tons of error messages like : Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.819967301 +0100] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68] Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.824391203 +0100] - ERR - DSRetroclPlugin - write_replog_db - An

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

Hi Ludwig, On 03/13/18 14:47, Ludwig Krispenz via FreeIPA-users wrote: On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote: Hi Ludwig, On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote: Hi, to get rid of this ruv entry with replicaid 7 you could try to run

[Freeipa-users] Re: is running sssd and nscd in parallel a better option?

Hi Jakub, On 9/21/18 3:24 PM, Jakub Hrozek via FreeIPA-users wrote: On Wed, Sep 19, 2018 at 02:04:28PM +0200, Harald Dunkel via FreeIPA-users wrote: I still have the problem that sometimes some sssd components disappear somehow, e.g. sssd_pam. The logfile on our mail gateway said : (Tue Sep

[Freeipa-users] is running sssd and nscd in parallel a better option?

Hi folks, I read somewhere that it is not recommended to run nscd to cache passwd on ipa clients, but I wonder: What if? I still have the problem that sometimes some sssd components disappear somehow, e.g. sssd_pam. The logfile on our mail gateway said : (Tue Sep 18 22:34:28 2018) [sssd[pam]]

[Freeipa-users] Re: is anyone running Debian as freeipa-client

Hi Johan, I am using freeipa 4.4.4-3 and sssd 1.16.3-1 on Stretch. Just the client part of freeipa, of course. Requires systemd for running ipa-client-install, but it works fine for me. My ipa servers are running on CentOS 7. Regards Harri ___

[Freeipa-users] Re: is anyone running Debian as freeipa-client

Hi Eric, On 1/10/19 2:33 PM, Eric Engstrom via FreeIPA-users wrote: > >> I am using freeipa 4.4.4-3 and sssd 1.16.3-1 on Stretch. Just the >> client part of freeipa, of course. Requires systemd for running >> ipa-client-install, but it works fine for me. > > Harald, > > Could you be a bit more

[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi folks, Setup: ipa-server 4.6.4-7 on CentOS 7 Problem: ipa host-del gives me [root@ipa1 ~]# ipa host-del ppcl027.example.com ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) Google pointed me to https://access.redhat.com/solutions/3624671, but

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Florence, On 7/10/19 4:50 PM, Florence Blanc-Renaud wrote: Hi, the issue seems rather to be between IPA framework and dogtag. Is the CA subsystem enabled? $ pki-server subsystem-show ca should display "Enabled: True" Nope: [root@ipa1 ~]# pki-server subsystem-show ca Subsystem ID: ca

[Freeipa-users] unregister old EMail address on this mailing list?

Hi folks, I have a new EMail address. Problem is, there is no option on [Manage subscription] to replace the EMail address. The old address is not available to send an unsubscribe to mailman, either. I could subscribe my new address via mail to mailman, but

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Flo, On 7/11/19 7:58 PM, Florence Blanc-Renaud via FreeIPA-users wrote: On 7/11/19 10:19 AM, Harald Dunkel via FreeIPA-users wrote: The ldapsearch line returns 2 identical certificates on ipa{0,1,2,bak}, but ipa1 has a 3rd certificate. Please don't tell me that my ldap instances are out

[Freeipa-users] Re: unregister old EMail address on this mailing list?

Hi Flo, On 7/11/19 7:54 PM, Florence Blanc-Renaud wrote: Hi Harri, you probably didn't notice this footer in the emails sent to freeipa-users: To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org It may be worth a try... That would unsubscribe the *valid* IP

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

On 7/16/19 11:39 AM, François Cami wrote: Please have a look at the latest logs from pki: /var/log/pki/pki-tomcat/ca/ The debug log file on ipa2 gives me an authentication failed for connecting to ldap on ipa2: [16/Jul/2019:09:52:22][localhost-startStop-1]:

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Flo, On 7/15/19 11:53 AM, Harald Dunkel wrote: Hi Flo, On 7/11/19 7:58 PM, Florence Blanc-Renaud via FreeIPA-users wrote: I hate to bring bad news, but it really looks like replication failed between your instances. Feel free to start a new thread on the users mailing list if you need

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi folks, On 7/15/19 2:41 PM, Harald Dunkel via FreeIPA-users wrote: Good news (sort of): ipa does *not* appear to be out of sync. Some new user accounts added recently can be found in ldap on all ipa servers.  It just failed to distribute the new certificate. Every suggestion about how

[Freeipa-users] how to enable NFS Kerberos authentication?

Hi folks, Maybe I am confused, but apparently I do not have to activate/modify host-based access control in Freeipa to support Kerberos for NFS. hbac is not mentioned on

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/22/19 5:34 PM, Rob Crittenden via FreeIPA-users wrote: It is expected. dogtag uses cert auth to bind to LDAP. That fails with the expired certs. This is why the IPA tree is used to distribute the updated certificates. rob Good news: Apparently the new certificate did make it

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

PS: Attached is slapd's errors file as well. Please note the Kerberos errors: : [23/Jul/2019:11:42:23.714599643 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa0.example...@example.de] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/17/19 9:27 PM, Rob Crittenden via FreeIPA-users wrote: The renewal certificates are passed via the main IPA backend. Check to see if that replication is working. It is not: [root@ipa1 ~]# ipa-csreplica-manage list -v ipa0.example.de Directory Manager password: ipa1.example.de

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

PS: Below you can find an excerpt from the slapd errors file on ipa1 (the renewal master). Regards Harri [15/Jul/2019:11:31:53.160959903 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [15/Jul/2019:11:36:53.653395671 +0200] - ERR -

[Freeipa-users] Re: freeipa-server failied to install - Debian9

Hi Timo, On 7/19/19 8:51 AM, Timo Aaltonen via FreeIPA-users wrote: Hi, Sorry, only Debian unstable is somewhat supported right now, though the freeipa part is still lacking because of ipa-server-upgrade crashes I'm seeing which is blocking the upload of current version being staged. I'll

[Freeipa-users] Re: freeipa-server failied to install - Debian9

Please ignore, I got confused with another thread. Harri On 7/19/19 10:22 AM, Harald Dunkel wrote: Hi Timo, On 7/19/19 8:51 AM, Timo Aaltonen via FreeIPA-users wrote: Hi, Sorry, only Debian unstable is somewhat supported right now, though the freeipa part is still lacking because of

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/18/19 3:06 PM, Rob Crittenden wrote: Look in cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com to see if the updated certificates are there. If they are then try to manually resubmit the certmonger tracking for it. For example, for the subsystem cert you'd do something like: #

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/19/19 3:45 PM, Rob Crittenden wrote: Harald Dunkel via FreeIPA-users wrote: AFAICS the new certificates are in ldap on the non-renewal masters (e.g. ipa0). Here is the output of the suggested getcert session on ipa0: [root@ipa0 ~]# date Fri Jul 19 11:21:00 CEST 2019 [root@ipa0

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Flo, FYI: ipa2 is essential in our environment, so I reinstalled the replica (without ca). There are still 2 other hosts ipa0 and ipabak with the same problem. On 7/17/19 2:50 PM, Florence Blanc-Renaud wrote: Hi, the renewal behaves differently on the renewal master and on other nodes. On

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Flo, On 7/23/19 12:27 PM, Florence Blanc-Renaud via FreeIPA-users wrote: Hi, The subsystemCert cert-pki-ca is also stored in LDAP, in 2 places: - in the entry uid=pkidbuser,ou=people,o=ipaca (in the userCertificate attribute, which can be multivalued and contain the old certs along with

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Flo, On 7/23/19 2:49 PM, Florence Blanc-Renaud wrote: On 7/23/19 12:27 PM, Harald Dunkel via FreeIPA-users wrote: PS: Attached is slapd's errors file as well. Please note the Kerberos errors: : [23/Jul/2019:11:42:23.714599643 +0200] - ERR - set_krb5_creds - Could not get initial

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/23/19 4:01 PM, Rob Crittenden wrote: It's a red herring. There is a chicken and egg problem here. The KDC uses LDAP as its backend and 389-ds needs a ticket. 389-ds starts first, can't get a ticket and then eventually recovers once the KDC is running. rob You mean pki-tomcatd

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/23/19 5:16 PM, Rob Crittenden wrote: I keep saying to ignore this. It doesn't work because the CA isn't running because the certs aren't updated. When certmonger pulls the cert out of the IPA tree it will update the NSS database and whatever other configuration needs to be

[Freeipa-users] Re: setting up a new CA replica in LXC failed

Hi Rob, On 7/17/19 1:55 PM, Rob Crittenden via FreeIPA-users wrote: Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+ according to git tag. I applied the patch I found in the dogtag ticket to /usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

On 7/16/19 2:39 PM, Harald Dunkel via FreeIPA-users wrote: ldapsearch -D cn=directory\ manager -W -b o=ipaca uid=pkidbuser userCertificate does not show the new certificate yet. I thought that the post-save command for this certificate is supposed to add it to ldap as well. Should I have used

[Freeipa-users] setting up a new CA replica in LXC failed

Hi folks, installing a new ca replica in an LXC container failed with [root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca /var/lib/ipa/replica-info-ipa5.example.de.gpg Directory Manager (existing master) password: Run connection check to master ad...@example.de password: Connection check

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

On 7/15/19 9:51 PM, Rob Crittenden wrote: Please check the status again. POST_SAVED_CERT is the status where the post command is being executed. It should be in MONITORING now. Yes, it does. I had to resubmit a few other certificates, and now the ca-error is gone on all ipa servers, too.

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Just for the records: The reason was an updated external root certificate, that I had imported with bad trust attributes about 2 years ago. My bad. After fixing the trust attributes freeipa is running again, probably better than before. There is just a minor issue with a duplicate csreplica

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi Rob, On 7/19/19 7:25 PM, Rob Crittenden wrote: The log doesn't seem to say which cert isn't found. You could try again and see what is being logged to find out what cert can't be found, and potentially why. This might be interesting. An ipactl restart gave me this in /var/log/messages:

[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

Hi folks, Setup: ipa-server 4.6.4-7 on CentOS 7 Problem: ipa host-del gives me [root@ipa1 ~]# ipa host-del ppcl027.example.com ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) Google pointed me to https://access.redhat.com/solutions/3624671, but

[Freeipa-users] shouldn't freeipa work by default?

Hi folks, *ipa help topics* gives me # ipa help topics ipa: ERROR: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8". # env | egrep LANG\|LC # echo $? 1 Shouldn't the command line interface work by default? Why not

[Freeipa-users] Re: shouldn't freeipa work by default?

On 2020-01-31 10:02, François Cami wrote: We'd rather fail early and print that warning which lets the admin fix the issue. You can see the rationale in the upstream ticket: https://pagure.io/freeipa/issue/5887 As an admin I won't touch user settings, esp. not the locale variables. All I can

[Freeipa-users] CentOS 7 --> 8 migration for FreeIPA with external CA?

Hi folks, I have found several migration guidelines from Centos 7 to 8. AFAIU the procedure is to setup a new CentOS 8 FreeIPA server, and then to migrate the "master" from the old to the new host. See [1], for example. Having myself burned with the CA stuff in FreeIPA before, I wonder if there

[Freeipa-users] when will my ca certificate expire?

Hi folks, how can I list the expiration dates of the ca certificate chain, before it is too late? External ca. Regards Harri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: freeIPA Status Debian/Ubuntu

On 9/5/21 22:24, Nico Maas via FreeIPA-users wrote: Looks like you're right: https://packages.debian.org/search?keywords=freeipa Is there any client planned for Bullseye? AFAICT: No. Freeipa is in sid (aka "Unstable"). The current version 4.8.10-2 is easy to backport to Debian 11 and to

[Freeipa-users] Re: Upgrading from EL7.9 to EL8

On 2022-06-15 14:15:12, Rob Crittenden via FreeIPA-users wrote: Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that. How comes? Maybe I am wrong, but I saw FreeIPA as a set of (complex)

[Freeipa-users] Re: Upgrading from EL7.9 to EL8

Hi Alex, On 2022-06-15 16:23:53, Alexander Bokovoy via FreeIPA-users wrote: The same as with not doing backports to older OSes, FreeIPA depends on a *particular set* of integrated services and libraries, not just any. We choose to avoid some of tough to solve upgrade issues by doing upgrade by

[Freeipa-users] road-warrior laptop vs password change in FreeIPA

Hi folks, I've got a few colleagues running Debian 10 or 11 on a laptop. Their account is managed by FreeIPA in the office. On first-time login their laptop is wired to the office lan. When they are in home office they have a VPN connection (IPsec, wireguard or openvpn) to the office, but since

[Freeipa-users] Re: road-warrior laptop vs password change in FreeIPA

As written before, wifi and VPN connections are established *after* the user logged in using information stored in the cache. I can't help it. Esp. I cannot support a VPN connection at boot time in a wifi network I have no information about. I understand that caching the user information is

[Freeipa-users] Re: road-warrior laptop vs password change in FreeIPA

On 2022-07-16 16:03:15, Sam Morris via FreeIPA-users wrote: The user experience for this is not ideal (it's something my orgnaization suffers from as well). My two ideas for how to improve it are: * A VPN that connects on boot, using the host's identity instead of the user (ideally

[Freeipa-users] Re: struggling with RID base on migration from CentOS 7 to 8

Hi Sumit, On 2023-07-03 09:57:53, Sumit Bose via FreeIPA-users wrote: A proper backup is always recommended when doing such kind of operations. Adding the RID bases with ldapmodify should for a start have no additional effects. Only when you start to add new users the sidgen plugin might now

[Freeipa-users] Active Directory domain range with bad ID range

Hi folks, I have found an Active Directory domain range in my FreeIPA setup using -1 as the first Posix ID: Range name: EXAMPLE.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain

[Freeipa-users] ipa-csreplica-manage -v list: duplicate replica ID detected

Hi folks, I have almost completed the FreeIPA migration from CentOS7 to Rocky8 (FreeIPA 4.9.11). Domain replications seems to be fine, but I get a replication error for ca: [root@ipa2 ~]# ipa-csreplica-manage -v list ipaca8.example.com Directory Manager password: ipa2.example.com last init

[Freeipa-users] ipa-replica-manage dnanextrange-del ?

Hi folks, being tired I have set a dnanextrange on 2 servers, instead of a dnarange. Very painful. Now our favorite ID range is blocked. Is there some kind of ipa-replica-manage dnanextrange-del to drop a dnanextrange and to return it to the available pool of IDs? Every helpful

[Freeipa-users] bad list of CAs on FreeIPA client?

Hi folks, getcert list-cas returns on some FreeIPA clients root@nasl006a:~# getcert list-cas CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no

[Freeipa-users] Re: ipa-csreplica-manage -v list: duplicate replica ID detected

Hi Rob, I highly appreciate your reply. Apparently the problem for cs went away on its own. "ipa-csreplica-manage -v list" doesn't show "duplicate replica ID detected" anymore. But I do have a replication problem for domain. list-ruv shows on ipa0 and ipa1 (sorted) Replica Update Vectors:

  1   2   >