After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
I see this (repeated many times) in the journal:
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
I see this (repeated many times) in the journal:
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
On 06/20/2017 10:38 PM, Rob Crittenden wrote:
Are these three the only expired certs?
For now ...
What version of IPA?
ipa-server-4.4.0-14.el7.centos.7.x86_64
Did you restart IPA after going back in time? If not, try that, then
restart certmonger and it should renew the certs.
As part of my debugging efforts (see "Expired certificates" thread), I
changed modified the settings for the dogtag-ipa-renew-agent and
dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note
of the original settings.
Are these correct for IPA 4.4 (on CentOS 7)?
CA 'SelfSign':
On 06/20/2017 11:38 PM, Ian Pilcher wrote:
If I don't specify the SSL_DIR, the curl command works, so it
definitely seems to be an issue with the NSS database in
/etc/httpd/alias. I don't see anything obviously wrong with the trust
flags, though:
# certutil -d /etc/httpd/alias -L
On 06/21/2017 08:54 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
On 06/20/2017 11:38 PM, Ian Pilcher wrote:
# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert
On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote:
On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
I am not saying “instead of”. We are using standard authetication provided by
FreeIPA, but I want to protect Web UI interface from unwanted attention as it
is,
On 05/30/2017 06:29 PM, Fraser Tweedale wrote:
What you are missing: the client tools do not support certificate
authentication (yet).
Well yes, but it's not clear that the OP needs/wants to support the
client tools via the Internet. My impression was that they only needed
to support the web
On 01/29/2018 05:32 PM, Fraser Tweedale via FreeIPA-users wrote:
Ideally you should generate the keys and create a CSR on the device.
Then use IPA to issue certificates for the user.
Jumping in to this thread ... I know how to generate a keypair and CSR,
but I've never been able to figure out
On 01/30/2018 09:53 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
Jumping in to this thread ... I know how to generate a keypair and CSR,
but I've never been able to figure out how to get FreeIPA to generate a
certificate from a CSR.
If there's documentation somewhere
On 01/30/2018 02:27 PM, Rob Crittenden wrote:
Not sure what you mean by arbitrary. You can definitely generate a CSR
using your favorite tool and pass that to ipa cert-request.
By arbitrary I meant a CSR/certificate that doesn't correspond to a host
(or user) that is managed by the FreeIPA
Better to be lucky than good. ;-)
Thanks!
On Jan 2, 2018 22:20, "Hans Spaans via FreeIPA-users" <
freeipa-users@lists.fedorahosted.org> wrote:
> Ian Pilcher via FreeIPA-users schreef op 2018-01-03 04:03:
>
>> Can someone check the correct ownership and permis
I am having trouble with ntpd on my IPA server. For whatever reason,
chrony seems to work when I manually stop ntpd.
I would like to remove ntpd as an IPA-managed service. I found an old
thread on this list that says I need to remove:
On 11/1/18 3:48 PM, Rob Crittenden wrote:
It is correct.
$ kinit admin
$ ldapdelete -Y GSSAPI
cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
For posterity's sake:
$ kinit admin
$ # There's almost certainly a better way to do this, but ...
$ ldapsearch -Y GSSAPI | grep
Many moons ago I migrated my home FreeIPA server from CentOS 6 to CentOS
7 via replication. I've just tried to create a new user for the first
time since, and I hit:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment
On 1/28/19 11:02 AM, Ian Pilcher wrote:
Many moons ago I migrated my home FreeIPA server from CentOS 6 to CentOS
7 via replication. I've just tried to create a new user for the first
time since, and I hit:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed
On 1/29/19 12:23 PM, Rob Crittenden wrote:
So what I think you'll have to do is create a separate LDAP system
account, details are in the LDAP howto on freeipa.org.
I stumbled across that sometime in the bleary hours of this morning.
Good to know that I was barking up the right tree.
And
I am setting up FreeRADIUS on my "network server" at home, which also
runs FreeIPA. Naturally, I would like to use certmonger to issue,
track, and renew the certificate(s) used by FreeRADIUS.
Unfortunately, ipa-getcert only works when run as root, and it writes
the certificate and key files as
Continuing my adventures with FreeRADIUS ...
It seems that there's no escaping the need to create a dedicated LDAP
user for FreeRADIUS, so that it can see group membership information.
I've already created a FreeIPA service -
radius/ipa.example@example.com - so that I could issue a
On 1/30/19 10:11 AM, Andy Pieters wrote:
man page on Centos
try-restart PATTERN...
Restart one or more units specified on the command line if
the units are running. This does nothing if units are not running.
Note that, for compatibility with Red Hat init
scripts,
On 1/30/19 10:16 AM, Ian Pilcher wrote:
Yes, but I'm asking about condreload (not condrestart).
Wrong mailing list. Sorry!
--
Ian Pilcher arequip...@gmail.com
"I grew up
I am setting up a new IPA instance to provide DNS and CA services in a team
lab. I have to decide what to use for the Directory Manager password — our
standard, not very secure root password or something else, which no one
will ever remember.
Any thoughts? Is it still a major project to change
On 4/17/19 9:45 AM, Rob Crittenden wrote:
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
That page says:
The following procedure is only applicable to FreeIPA 3.2.1 or older.
Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a
part of preparing a
On 5/22/19 11:44 AM, Ian Pilcher wrote:
I am trying to create a certificate for an older network printer.
Unfortunately, I cannot just load a certificate and private key of my
own creation. The printer only supports certificates created from a
CSR of its own creation, which does not include
I am trying to create a certificate for an older network printer.
Unfortunately, I cannot just load a certificate and private key of my
own creation. The printer only supports certificates created from a
CSR of its own creation, which does not include the SAN.
Is it possible to make IPA copy
On 4/18/19 3:42 PM, Rob Crittenden wrote:
The cert should be added to the entry automatically by ipa cert-request.
Aha!
Looks like it actually was added. It just doesn't show up in the web
UI immediately. (I'm not sure if it takes a certain amount of time or
a log out/log in, but it's there
I am trying to script the creation of a bunch of host certificates.
Unlike the web UI, the CLI seems to require two separate steps to do
this. (Please correct me if I'm wrong about this.)
After I generate a key and CSR, I create a certificate with
'ipa cert-request'. I am using
On 4/16/19 10:14 PM, Rob Crittenden wrote:
It isn't a huge deal to change the DM password but in practice you'd
want to do it on all masters (not replicated) so while not the end of
the world it can be at best annoying.
We'll only have a single master, so that doesn't sound too bad.
Though
I've long believed that it wasn't possible to use FreeIPA for identity
management with Windows clients (unless one was willing to pay for an
Active Directory server and establish a cross-domain trust).
I recently stumbled on this post, which indicates that it is possible:
I am trying to get OpenShift to use my FreeIPA installation
(ipa-server-4.6.5-11.el7.centos.4.x86_64) as an identity provider.
OpenShift is refusing to talk to the LDAP server, because its
certificate doesn't contain a subjectAltName.
So I need to re-request/re-issue the certificate with the
On 5/8/20 4:00 PM, Leusmann, Philipp via FreeIPA-users wrote:
Thanks for testing, here the same thing doesn’t work.
I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates.
Invoking manually works properly.
Any further idea on
On 8/24/20 11:40 AM, Alessandro Minonzio via FreeIPA-users wrote:
I'n new about FreeIPA ( v. 4.6.5 ) and I ask help about first configuration
with FreeRadius on Centos 7.
I need documentation or suggestion about this implementation.
Could somone help me?
I set this up a while ago, so I may
On 10/1/20 12:42 PM, Auerbach, Steven via FreeIPA-users wrote:
What is the proper way to change the overall openssl configuration to
set the ssl_min toTLSv1.2?
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
You can see your current settings with:
ldapsearch -x -D
Maybe it's just me, but I still find the documentation on this subject
confusing. (This is probably because the docs seem to be telling me
that I don't need to do anything beyond the actual password change, and
I don't trust answers that seem too easy.)
I running a single-node IPA 4.6.8 on RHEL
Maybe it's just me, but I still find the documentation on this subject
confusing. (This is probably because the docs seem to be telling me
that I don't need to do anything beyond the actual password change, and
I don't trust answers that seem too easy.)
I running a single-node IPA 4.6.8 on RHEL
On 5/12/21 4:06 PM, Ian Pilcher wrote:
I am getting an odd error when trying to issue a certificate with an IP
address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit
old, but it should work, AFAIK.
This was a user error. I had the wrong object type for the IP address
in the SAN
I am getting an odd error when trying to issue a certificate with an IP
address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit
old, but it should work, AFAIK.
Here is the host for which I want to issue the certificate:
$ ipa host-show node01-idrac.pemlab.rdu2.redhat.com
Host
On 5/20/21 7:52 AM, Rob Crittenden via FreeIPA-users wrote:
Florence Renaud via FreeIPA-users wrote:
Hi Ian,
with IPA 4.6.8 you just need to follow the 389ds doc.
The procedure was more complex in version < 3.2.2 because there were two
389ds instances (one for the regular suffix and one for the
On 7/6/21 12:29 PM, Rob Crittenden wrote:
IPA doesn't allow a CSR that has a RFC822Name SAN for a non-user. This
validation happens before the CSR is submitted to the CA.
You'd have to modify code to drop this requirement.
Bummer, but understandable. Thanks for clarifying!
--
I've hit a roadblock while trying to generate a certificate for a VMware
vSphere appliance.
The VMware "Certificate Management" tool doesn't allow one to upload a
certificate and key. Instead, one has to generate a CSR in the VMware
GUI which then gets submitted to the CA (IPA in this case).
I've hit a roadblock while trying to generate a certificate for a VMware
vSphere appliance.
The VMware "Certificate Management" tool doesn't allow one to upload a
certificate and key. Instead, one has to generate a CSR in the VMware
GUI which then gets submitted to the CA (IPA in this case).
SHORT VERSION:
I run IPA (4.8) on a low powered CentOS 7 system, and the thundering
herd of dogtag-ipa-renew-agent-submit processes that certmonger
spawns at startup appears to be causing issues.
I'm looking for some way to limit the number of concurrent requests
that certmonger spawns at
At work, I manage a small lab that is used by my team (< 10 people).
All lab users are currently managed in the lab FreeIPA, but we all use
it extensively, so creating separate credentials for the lab isn't
overly burdensome.
We're now expanding the lab, and the number of users who may need
I was overly casual with yum this morning, and almost removed all of the
IPA-related RPMs from my server (CentOS 7). Fortunately, I was able to
abort the transaction before too much damage was done. After
(re)installing a couple RPMs, everything seems to be pretty much
working.
The exception
On 4/9/22 12:48, Ian Pilcher wrote:
Looking into this, I realize that I'm not even sure of the exact
mechanism that IPA (4.6.8 on CentOS 7) normally uses to start. Looking
at the various systemd units on my system (targets and services), I
don't see anything that looks like an overall IPA unit,
On 10/27/23 10:05, Ian Pilcher wrote:
I am attempting to generate a host certificate, but the FreeIPA web
interface will not accept the PEM-encoded CSR. I am receiving the
following error:
IPA Error 4015: Base64DecodeError
Base64 decoding failed: Incorrect padding
The CSR is in PEM
I am attempting to generate a host certificate, but the FreeIPA web
interface will not accept the PEM-encoded CSR. I am receiving the
following error:
IPA Error 4015: Base64DecodeError
Base64 decoding failed: Incorrect padding
The CSR is in PEM format, rather than Base64:
-BEGIN
It seems that Firefox has now started warning about certificates that
don't include a subject alternative name. (Honestly, I had no idea that
it wasn't already doing so; Chrome has been doing this for years.)
My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS
interface, so
On 6/30/23 12:38, Rob Crittenden wrote:
The CA is stored in the NSS database /etc/pki/pki-tomcat/alias. You can
use pk12util to extract it into a PKCS#12, then extract that and you'll
have the CA. This would keep the CA trust the same but with a fresh
install you'd need new keytabs for any
I am attempting to automate a FreeIPA installation (for troubleshooting
purposes), and I cannot figure out how to get rid of this question. I
have tried adding '--no-reverse' to the ipa-server-install command, but
I am still getting the prompt.
What option do I need to use?
Thanks!
--
On 7/21/23 11:33, Ian Pilcher wrote:
I am attempting to automate a FreeIPA installation (for troubleshooting
purposes), and I cannot figure out how to get rid of this question. I
have tried adding '--no-reverse' to the ipa-server-install command, but
I am still getting the prompt.
What option
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does
(Hopefully Thunderbird will only send one copy of this. Sorry about the
previous duplicate.)
I run a single FreeIPA server (on CentOS 7) in my home network, and I'm
thinking of migrating it to Fedora. AFAICT, doing this as an actual
upgrade will require multiple cycles of creating a newer
On 6/30/23 12:38, Rob Crittenden wrote:
The CA is stored in the NSS database /etc/pki/pki-tomcat/alias. You can
use pk12util to extract it into a PKCS#12, then extract that and you'll
have the CA. This would keep the CA trust the same but with a fresh
install you'd need new keytabs for any
56 matches
Mail list logo
