[Freeipa-users] Expired certificates
After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. I see this (repeated many times) in the journal: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@383171f8 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521) at java.lang.Thread.run(Thread.java:748) getcert list shows a number of expired certificates (which is EXTREMELY frustrating, as I thought that certmonger, which is running, was supposed to take care of these renewals): Request ID '20170306100908': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=CA Audit,O=PENURIO.US expires: 2017-06-19 16:27:30 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170306100911': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=OCSP Subsystem,O=PENURIO.US expires: 2017-06-19 16:26:30 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170306100914': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=CA Subsystem,O=PENURIO.US expires: 2017-06-19 16:26:30 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Is there a published procedure to fix this? (I did find a procedure for RHEL/CentOS 6 and IPA 3, on the Red Hat site, but I am using CentOS 7 with IPA 4.4.) -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Expired certificates
After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. I see this (repeated many times) in the journal: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@383171f8 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521) at java.lang.Thread.run(Thread.java:748) getcert list shows a number of expired certificates (which is EXTREMELY frustrating, as I thought that certmonger, which is running, was supposed to take care of these renewals): Request ID '20170306100908': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=CA Audit,O=PENURIO.US expires: 2017-06-19 16:27:30 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170306100911': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=OCSP Subsystem,O=PENURIO.US expires: 2017-06-19 16:26:30 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170306100914': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=CA Subsystem,O=PENURIO.US expires: 2017-06-19 16:26:30 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes I have tried setting the clock back 48 hours, but certmonger is still unable to renew the certificates -- still with the same error. I have checked the certificates returned when connecting to asterisk.penurio.us:8443, and they look correct. The CA certificate doesn't expire until 2033, and the server certificate (whose CN is asterisk.penurio.us) expires in 2019. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Expired certificates
On 06/20/2017 10:38 PM, Rob Crittenden wrote: Are these three the only expired certs? For now ... What version of IPA? ipa-server-4.4.0-14.el7.centos.7.x86_64 Did you restart IPA after going back in time? If not, try that, then restart certmonger and it should renew the certs. Definitely tried that, several times. Given certmonger didn't fire in the very recent past can you check the syslog for any certmonger-related messages? I assume it renewed some, but not all of the certs? I did finally managed to get a more useful error message by following the debugging hints here: https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ I get this in /var/log/ipa/renew.log: * Trying 172.31.255.1... * Connected to asterisk.penurio.us (172.31.255.1) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/httpd/alias * CAfile: /etc/ipa/ca.crt CApath: none * Server certificate: * subject: CN=asterisk.penurio.us,O=PENURIO.US * start date: Feb 27 23:37:03 2017 GMT * expire date: Feb 17 23:37:03 2019 GMT * common name: asterisk.penurio.us * issuer: CN=Certificate Authority,O=PENURIO.US * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 And, sure enough, I am able to reproduce the behavior with curl: # SSL_DIR=/etc/httpd/alias curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://asterisk.penurio.us:8443/ca/agent/ca/profileReview % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 * About to connect() to asterisk.penurio.us port 8443 (#0) * Trying 172.31.255.1... * Connected to asterisk.penurio.us (172.31.255.1) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/httpd/alias * CAfile: /etc/ipa/ca.crt CApath: none * Server certificate: * subject: CN=asterisk.penurio.us,O=PENURIO.US * start date: Feb 27 23:37:03 2017 GMT * expire date: Feb 17 23:37:03 2019 GMT * common name: asterisk.penurio.us * issuer: CN=Certificate Authority,O=PENURIO.US * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. If I don't specify the SSL_DIR, the curl command works, so it definitely seems to be an issue with the NSS database in /etc/httpd/alias. I don't see anything obviously wrong with the trust flags, though: # certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u PENURIO.US IPA CACT,C,C Let's Encrypt Authority X3 - Digital Signature Trust Co. ,, www.penurio.us u,u,u -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] certmonger CA settings
As part of my debugging efforts (see "Expired certificates" thread), I changed modified the settings for the dogtag-ipa-renew-agent and dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note of the original settings. Are these correct for IPA 4.4 (on CentOS 7)? CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] [SOLVED?] Re: Expired certificates
On 06/20/2017 11:38 PM, Ian Pilcher wrote: If I don't specify the SSL_DIR, the curl command works, so it definitely seems to be an issue with the NSS database in /etc/httpd/alias. I don't see anything obviously wrong with the trust flags, though: # certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u PENURIO.US IPA CACT,C,C Let's Encrypt Authority X3 - Digital Signature Trust Co. ,, www.penurio.us u,u,u Trial and error for the win! It seems as if the NSS database in /etc/httpd/alias had become subtly corrupted, so that the trust flags shown by certutil for the CA certificate were not accurate. After clearing (-t ',,') and resetting (-t 'C,C,C') the trust flags, curl works, and certmonger has renewed my expired certificates. That was not fun. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [SOLVED?] Re: Expired certificates
On 06/21/2017 08:54 AM, Rob Crittenden wrote: Ian Pilcher via FreeIPA-users wrote: On 06/20/2017 11:38 PM, Ian Pilcher wrote: # certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u PENURIO.US IPA CACT,C,C Let's Encrypt Authority X3 - Digital Signature Trust Co. ,, www.penurio.us u,u,u Well, I'm glad it's working, but I'm confused by your setup. Are you still using the Apache Server-Cert or are you using the Let's Encrypt cert? If the latter then you should disable tracking on Server-Cert. Off the top of my head I can't think of any issues it might cause but it is very possible some IPA renewal script dropped the trust on the Let's Encrypt CA since it isn't in the chain of the Server-Cert (or ipaCert). The Let's Encrypt intermediate CA certificate and the www.penurio.us certificate (issued by Let's Encrypt) are used only for an Internet- facing reverse proxy virtual host. They are not used for anything IPA- related. The issue seems to have been the trust flags on the PENURIO.US IPA CA certificate. For whatever reason, it wasn't being trusted even though certutil was showing it as CT,C,C. I "reset" the trust flags by running: certutil -d /etc/httpd/alias -M -n 'PENURIO.US IPA CA' -t ',,' certutil -d /etc/httpd/alias -M -n 'PENURIO.US IPA CA' -t 'C,C,C' And things started working. I did find it interesting that the trust flags still showed as T,, after I ran the first command, and it's showing as CT,C,C now. It appears that certutil is either not affecting the T flag, or it is not displaying the trusts accurately. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"
On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: I am not saying “instead of”. We are using standard authetication provided by FreeIPA, but I want to protect Web UI interface from unwanted attention as it is, unfortunately, exposed to entire internet. I’d be much happier if Apache could reject (or redirect) any client which is not presenting required certificate even before any authentication attempt is started. That is not to say that the whole server is exposed, but 443 port is. Thanks for explaining. Maybe I'm missing something in this thread, but couldn't the OP simply put a reverse proxy in front of the Internet-exposed port? -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"
On 05/30/2017 06:29 PM, Fraser Tweedale wrote: What you are missing: the client tools do not support certificate authentication (yet). Well yes, but it's not clear that the OP needs/wants to support the client tools via the Internet. My impression was that they only needed to support the web UI externally. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA PKI with OpenVPN
On 01/29/2018 05:32 PM, Fraser Tweedale via FreeIPA-users wrote: Ideally you should generate the keys and create a CSR on the device. Then use IPA to issue certificates for the user. Jumping in to this thread ... I know how to generate a keypair and CSR, but I've never been able to figure out how to get FreeIPA to generate a certificate from a CSR. If there's documentation somewhere that I've missed in my many searches, I'd appreciate a pointer. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA PKI with OpenVPN
On 01/30/2018 09:53 AM, Rob Crittenden wrote: Ian Pilcher via FreeIPA-users wrote: Jumping in to this thread ... I know how to generate a keypair and CSR, but I've never been able to figure out how to get FreeIPA to generate a certificate from a CSR. If there's documentation somewhere that I've missed in my many searches, I'd appreciate a pointer. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificates Thanks! (Unfortunately, I had misinterpreted the earlier comments in this thread to indicate that it was now possible to simply issue a certificate, based on an arbitrary CSR. It seems that still isn't the case.) -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA PKI with OpenVPN
On 01/30/2018 02:27 PM, Rob Crittenden wrote: Not sure what you mean by arbitrary. You can definitely generate a CSR using your favorite tool and pass that to ipa cert-request. By arbitrary I meant a CSR/certificate that doesn't correspond to a host (or user) that is managed by the FreeIPA server. In my situation, I would like to sign TLS certificates for several of my network switches, wireless access points, etc., none of which can be enrolled as IPA hosts. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Correct ownership for /etc/httpd/alias/ipasession.key
Better to be lucky than good. ;-) Thanks! On Jan 2, 2018 22:20, "Hans Spaans via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote: > Ian Pilcher via FreeIPA-users schreef op 2018-01-03 04:03: > >> Can someone check the correct ownership and permissions of >> /etc/httpd/alias/ipasession.key? I have a feeling I may have messed >> mine up as I was copying the directory around. >> >> I currently have: >> >> -rw---. 1 root root 32 Sep 27 10:07 ipasession.key >> >> Thanks! >> > > The overview of all the files in directory /etc/httpd/alias/ > > -rw-r-. 1 root apache 65536 3 jan 05:12 cert8.db > -rw-r-. 1 root apache 65536 26 nov 11:44 cert8.db.orig > -rw---. 1 root root5522 26 nov 11:44 install.log > -rw---. 1 root root 32 26 nov 11:55 ipasession.key > -rw-r-. 1 root apache 16384 3 jan 05:12 key3.db > -rw-r-. 1 root apache 24576 26 nov 11:44 key3.db.orig > lrwxrwxrwx. 1 root root 24 26 nov 11:44 libnssckbi.so -> > /usr/lib64/libnssckbi.so > -rw---. 1 root apache41 26 nov 11:55 pwdfile.txt > -rw-r-. 1 root apache 16384 26 nov 11:55 secmod.db > -rw-r-. 1 root apache 16384 26 nov 11:44 secmod.db.orig > > This is from a snapshot image from a fresh install/setup made last > November. > > Hans > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Remove ntpd from IPA managed services
I am having trouble with ntpd on my IPA server. For whatever reason, chrony seems to work when I manually stop ntpd. I would like to remove ntpd as an IPA-managed service. I found an old thread on this list that says I need to remove: cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com Assuming that this is correct, how do I do that? -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Remove ntpd from IPA managed services
On 11/1/18 3:48 PM, Rob Crittenden wrote: It is correct. $ kinit admin $ ldapdelete -Y GSSAPI cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com For posterity's sake: $ kinit admin $ # There's almost certainly a better way to do this, but ... $ ldapsearch -Y GSSAPI | grep NTP $ # Use DN from previous command $ ldapdelete -Y GSSAPI cn=NTP,cn=your.host.name,cn=masters,cn=ipa,cn=etc,dc=host,dc=name Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] FreeIPA server has no UID range
Many moons ago I migrated my home FreeIPA server from CentOS 6 to CentOS 7 via replication. I've just tried to create a new user for the first time since, and I hit: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. I've found a few old mailing list messages that explain the reason that this happened, so I know that I need to create a "dnarange", but I haven't found anything that shows me exactly how to do that, or what the range should be. (Since I only have a single server, I would think that the default would be fine.) Any pointers would be appreciated. Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] [SOLVED] FreeIPA server has no UID range
On 1/28/19 11:02 AM, Ian Pilcher wrote: Many moons ago I migrated my home FreeIPA server from CentOS 6 to CentOS 7 via replication. I've just tried to create a new user for the first time since, and I hit: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. I've found a few old mailing list messages that explain the reason that this happened, so I know that I need to create a "dnarange", but I haven't found anything that shows me exactly how to do that, or what the range should be. (Since I only have a single server, I would think that the default would be fine.) This turned out to be straightforward, once I found this blog post: https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ For posterity (for a single server setup): [root@XXX conf.d]# ipa-replica-manage dnarange-show XXX.YYY.ZZZ: No range set [root@XXX conf.d]# ipa idrange-find --- 1 range matched --- Range name: YYY.ZZZ_id_range First Posix ID of the range: 178520 Number of IDs in the range: 20 Range type: local domain range Number of entries returned 1 [root@XXX conf.d]# ipa-replica-manage dnarange-set XXX.YYY.ZZZ \ 178520-$((178520+20-1)) [root@XXX conf.d]# ipa-replica-manage dnarange-show XXX.YYY.ZZZ: 178520-178539 And I can now create a user. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: LDAP account for service
On 1/29/19 12:23 PM, Rob Crittenden wrote: So what I think you'll have to do is create a separate LDAP system account, details are in the LDAP howto on freeipa.org. I stumbled across that sometime in the bleary hours of this morning. Good to know that I was barking up the right tree. And you'll need to do a bit of manual work to allow this system account read access to the membership info. You can do this by using ldapmodify to add memberof: for the permission (or permissions) you need to grant it. For whatever reason, I didn't need to do anything special. It "just worked" once I created the account. # ldapsearch -x -D uid=radiusd,cn=sysaccounts,cn=etc,dc=example,dc=com \ -W -b cn=users,cn=accounts,dc=example,dc=com '(uid=test)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=test) # requesting: ALL # # test, users, accounts, example.com dn: uid=test,cn=users,cn=accounts,dc=example,dc=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=wifi,cn=groups,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20290126192822Z krbLastPwdChange: 20190129192822Z displayName: Test User uid: test krbCanonicalName: t...@example.com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: TU gecos: Test User sn: User homeDirectory: /home/test mail: t...@example.com krbPrincipalName: t...@example.com givenName: Test cn: Test User ipaUniqueID: fde5c420-23fb-11e9-bed0-00224db7a139 uidNumber: 178527 gidNumber: 178527 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] certmonger with certs/keys not owned by root
I am setting up FreeRADIUS on my "network server" at home, which also runs FreeIPA. Naturally, I would like to use certmonger to issue, track, and renew the certificate(s) used by FreeRADIUS. Unfortunately, ipa-getcert only works when run as root, and it writes the certificate and key files as root/0600, leaving them unreadable by radiusd. I can obviously change the permissions of the files, but certmonger will presumably reset them when it renews the certificate. I feel like I must be missing something obvious. certmonger must be usable with services that run as a non-root user, right? -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] LDAP account for service
Continuing my adventures with FreeRADIUS ... It seems that there's no escaping the need to create a dedicated LDAP user for FreeRADIUS, so that it can see group membership information. I've already created a FreeIPA service - radius/ipa.example@example.com - so that I could issue a certificate for PEAP and monitor it with certmonger. (Yes, FreeRADIUS is running on the same server as FreeIPA.) Is it possible to somehow create a "service user" associated with this service that FreeRADIUS can use as an LDAP login? Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: [systemd-devel] systemctl condreload - Is it a thing?
On 1/30/19 10:11 AM, Andy Pieters wrote: man page on Centos try-restart PATTERN... Restart one or more units specified on the command line if the units are running. This does nothing if units are not running. Note that, for compatibility with Red Hat init scripts, condrestart is equivalent to this command. Yes, but I'm asking about condreload (not condrestart). -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: [systemd-devel] systemctl condreload - Is it a thing?
On 1/30/19 10:16 AM, Ian Pilcher wrote: Yes, but I'm asking about condreload (not condrestart). Wrong mailing list. Sorry! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Directory manager password best practices
I am setting up a new IPA instance to provide DNS and CA services in a team lab. I have to decide what to use for the Directory Manager password — our standard, not very secure root password or something else, which no one will ever remember. Any thoughts? Is it still a major project to change the DM password? How hard is it to recover/reset it these days? (This will be IPA 4.6 on RHEL 7.) Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Directory manager password best practices
On 4/17/19 9:45 AM, Rob Crittenden wrote: https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password That page says: The following procedure is only applicable to FreeIPA 3.2.1 or older. Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a part of preparing a replica info file by using ipa-replica-prepare So it's really not clear what one is supposed to do for 4.6. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] SOLVED: Add SAN to cert (without adding it to the CSR)
On 5/22/19 11:44 AM, Ian Pilcher wrote: I am trying to create a certificate for an older network printer. Unfortunately, I cannot just load a certificate and private key of my own creation. The printer only supports certificates created from a CSR of its own creation, which does not include the SAN. Is it possible to make IPA copy the CN into the SAN? As usual, I managed to find the answer shortly after sending this. The key information is here: https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Add SAN to cert (without adding it to the CSR)
I am trying to create a certificate for an older network printer. Unfortunately, I cannot just load a certificate and private key of my own creation. The printer only supports certificates created from a CSR of its own creation, which does not include the SAN. Is it possible to make IPA copy the CN into the SAN? Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Scripting host certificate creation
On 4/18/19 3:42 PM, Rob Crittenden wrote: The cert should be added to the entry automatically by ipa cert-request. Aha! Looks like it actually was added. It just doesn't show up in the web UI immediately. (I'm not sure if it takes a certain amount of time or a log out/log in, but it's there now.) Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Scripting host certificate creation
I am trying to script the creation of a bunch of host certificates.
Unlike the web UI, the CLI seems to require two separate steps to do
this. (Please correct me if I'm wrong about this.)
After I generate a key and CSR, I create a certificate with
'ipa cert-request'. I am using host/${HOSTNAME}@${REALM} as the
principal, and I am saving the certificate with the --certificate-out
option.
Now I apparently need to use 'ipa host-add-cert' to add the certificate
to the host, but this requires that the certificate be passed in base64
format on the command line. I'm sure I can figure out how to do this
with some combination of sed, tr, etc., but this seems excessively
painful. Is there really not a way to do this in a single step or feed
a PEM-encoded certificate to 'ipa host-add-cert'?
--
Ian Pilcher arequip...@gmail.com
"I grew up before Mark Zuckerberg invented friendship"
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Directory manager password best practices
On 4/16/19 10:14 PM, Rob Crittenden wrote: It isn't a huge deal to change the DM password but in practice you'd want to do it on all masters (not replicated) so while not the end of the world it can be at best annoying. We'll only have a single master, so that doesn't sound too bad. Though with root DM can be reset so with having a crappy root password in effect it doesn't matter what DM is (e.g. someone could already have the keys to the Kingdom). Right. I'm hoping to tighten up the root/admin password situation, but that will have to wait until I can get some consensus from the remainder of my team. Changing those passwords is a known, straightforward process, though. In contrast, a fair bit of Googling leaves me unsure what the DM password change procedure even is for IPA 4.6. I'd set both to something(s) you can remember. When you need it the last thing you'll want to do is run around resetting it. My experience is that the Directory Manager password is used very infrequently, so the odds of remembering it (if it is different than the admin password) are very low. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Current state of Windows client support
I've long believed that it wasn't possible to use FreeIPA for identity management with Windows clients (unless one was willing to pay for an Active Directory server and establish a cross-domain trust). I recently stumbled on this post, which indicates that it is possible: https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/ Can anyone speak to whether this is expected to work? -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Reissue IPA LDAP cert with SAN
I am trying to get OpenShift to use my FreeIPA installation (ipa-server-4.6.5-11.el7.centos.4.x86_64) as an identity provider. OpenShift is refusing to talk to the LDAP server, because its certificate doesn't contain a subjectAltName. So I need to re-request/re-issue the certificate with the SAN. Will it be sufficient to modify the caIPAserviceCert profile to copy the host- name from the CN to the SAN (as discussed in [1]) and then use ipa-getcert resubmit? Will this break anything? (I only have a single IPA server/CA.) Thanks! [1] https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to get certificate containing full chain
On 5/8/20 4:00 PM, Leusmann, Philipp via FreeIPA-users wrote: Thanks for testing, here the same thing doesn’t work. I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7 post-save command is shown in the list of monitored certificates. Invoking manually works properly. Any further idea on how to debug this? Have you checked for SELinux denials? -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA + Freeradius
On 8/24/20 11:40 AM, Alessandro Minonzio via FreeIPA-users wrote:
I'n new about FreeIPA ( v. 4.6.5 ) and I ask help about first configuration
with FreeRadius on Centos 7.
I need documentation or suggestion about this implementation.
Could somone help me?
I set this up a while ago, so I may forget some of the details, but
here's what I remember:
* You'll need to force LDAP authentication (bind as user) in the
relevant FreeRADIUS "sites" - probably "default" for testing
with radtest and "inner-tunnel" for WiFi EAP. I added the following
at the end of the *authorize* section (after pap).
#
# Force LDAP authentication (bind as user)
#
if (noop && User-Password) {
update control {
Auth-Type := LDAP
}
}
* In the *authenticate* section of the sites files, uncomment this
section:
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
Auth-Type LDAP {
ldap
}
* Configure mods-available/ldap appropriately. You'll need to put
your LDAP (FreeIPA) server information in the *ldap* section:
server = 'localhost'
base_dn = 'cn=users,cn=accounts,dc=CHANGE,dc=ME'
(I've only ever run FreeIPA and FreeRADIUS on the same server, so I
haven't had to set up TLS between them.)
* If you want to check group membership, you'll need to create a FreeIPA
service account for FreeRADIUS. (Group membership is not visible to
anonymous binds.)
https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
In mods-available/ldap (for example):
identity = 'uid=radiusd,cn=sysaccounts,cn=etc,dc=CHANGE,dc=ME'
password = somethingwaymoresecurethanthis
I've only ever "hacked" group membership-based authorization by simply
hiding users that aren't in a particular group. In the "user"
subsection of the "ldap" section of mods-available/ldap I changed the
filter to:
filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=wifi,cn=groups,cn=accounts,dc=CHANGE,dc=ME))"
There's almost certainly a better way to do this.
* Finally, you'll need to configure mods-available/eap to use an
authentication type that works with LDAP authentication. (Something
where the supplicant sends the actual password, rather than a hash.)
I'm attaching my mods-available/eap file to this note. Note that not
all of the changes (disabling a bunch of authentication methods) are
required to make this work.
HTH
--
In Soviet Russia, Google searches you!
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: 427016c66da92b5aa87ac784e74550c4e723c0cd $
###
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = gtc
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
[Freeipa-users] Re: SSL/TLS Server Support for TLDv1.0 on port(s) other than 443
On 10/1/20 12:42 PM, Auerbach, Steven via FreeIPA-users wrote: What is the proper way to change the overall openssl configuration to set the ssl_min toTLSv1.2? https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html You can see your current settings with: ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=encryption,cn=config' -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Changing directory manager password
Maybe it's just me, but I still find the documentation on this subject confusing. (This is probably because the docs seem to be telling me that I don't need to do anything beyond the actual password change, and I don't trust answers that seem too easy.) I running a single-node IPA 4.6.8 on RHEL 7. The actual password change with ldapmodify[1] is simple enough. Am I reading the FreeIPA documentation[2] correctly, that I don't need to perform any other steps? Thanks! [1] https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html [2] https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password -- Ian PilcherSr. Principal Product Manager +1 469 892-8704 Red Hat Cloud Platforms ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Changing directory manager password
Maybe it's just me, but I still find the documentation on this subject confusing. (This is probably because the docs seem to be telling me that I don't need to do anything beyond the actual password change, and I don't trust answers that seem too easy.) I running a single-node IPA 4.6.8 on RHEL 7. The actual password change with ldapmodify[1] is simple enough. Am I reading the FreeIPA documentation[2] correctly, that I don't need to perform any other steps? Thanks! [1] https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html [2] https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Error issuing cert with IP address in SAN
On 5/12/21 4:06 PM, Ian Pilcher wrote: I am getting an odd error when trying to issue a certificate with an IP address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit old, but it should work, AFAIK. This was a user error. I had the wrong object type for the IP address in the SAN in the CSR. Certificate Request: Data: Version: 0 (0x0) Subject: CN=node01-idrac.pemlab.rdu2.redhat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ⋮ Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:node01-idrac.pemlab.rdu2.redhat.com, DNS:node01-idrac, DNS:10.11.173.11 ^^^ It needs to be IP:10.11.173.11. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Error issuing cert with IP address in SAN
I am getting an odd error when trying to issue a certificate with an IP address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit old, but it should work, AFAIK. Here is the host for which I want to issue the certificate: $ ipa host-show node01-idrac.pemlab.rdu2.redhat.com Host name: node01-idrac.pemlab.rdu2.redhat.com Principal name: host/node01-idrac.pemlab.rdu2.redhat@pemlab.rdu2.redhat.com Principal alias: host/node01-idrac.pemlab.rdu2.redhat@pemlab.rdu2.redhat.com Password: False Keytab: False Managed by: node01-idrac.pemlab.rdu2.redhat.com Here is the CSR: $ openssl req -noout -text -in node01-idrac.csr Certificate Request: Data: Version: 0 (0x0) Subject: CN=node01-idrac.pemlab.rdu2.redhat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ⋮ Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:node01-idrac.pemlab.rdu2.redhat.com, DNS:node01-idrac, DNS:10.11.173.11 Signature Algorithm: sha256WithRSAEncryption ⋮ The DNS records: $ ipa dnsrecord-show pemlab.rdu2.redhat.com node01-idrac Record name: node01-idrac A record: 10.11.173.11 $ ipa dnsrecord-show 173.11.10.in-addr.arpa 11 Record name: 11 PTR record: node01-idrac.pemlab.rdu2.redhat.com. $ ipa cert-request node01-idrac.csr --certificate-out node01-idrac.crt \ --principal host/node01-idrac.pemlab.rdu2.redhat@pemlab.rdu2.redhat.com ipa: ERROR: The service principal for subject alt name 10.11.173.11 in certificate request does not exist From my examination of ipaserver/plugins/cert.py, I don't think that this has anything to do with validation of the IP address, as the exception seem to be raised before _validate_san_ips ever gets called. Beyond that, however, I really don't know what's going on. I've filed this as https://bugzilla.redhat.com/show_bug.cgi?id=1960041, but I was wondering if anyone on this list has seen this behavior or can spot an error that I'm making. Thanks! -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Changing directory manager password
On 5/20/21 7:52 AM, Rob Crittenden via FreeIPA-users wrote: Florence Renaud via FreeIPA-users wrote: Hi Ian, with IPA 4.6.8 you just need to follow the 389ds doc. The procedure was more complex in version < 3.2.2 because there were two 389ds instances (one for the regular suffix and one for the Certificate Server) and the password has to be manually synchronized between the 2, and the replica installation was done using a different procedure (you had to prepare a replica file containing passwords, private keys, certificates and then transfer this file on the future replica). The PKCS#12 file of the CA root generated by IPA during installation is protected by the DM password. An updated file can be generated using PKCS12Export if desired. This is where it gets confusing. I can see the PKCS#12 file in /root. I've changed my DM password, but I haven't regenerated the file. Is this going to cause problems later on? -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Certificate profile to ignore (drop) email in SAN - possible?
On 7/6/21 12:29 PM, Rob Crittenden wrote: IPA doesn't allow a CSR that has a RFC822Name SAN for a non-user. This validation happens before the CSR is submitted to the CA. You'd have to modify code to drop this requirement. Bummer, but understandable. Thanks for clarifying! -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Certificate profile to ignore (drop) email in SAN - possible?
I've hit a roadblock while trying to generate a certificate for a VMware vSphere appliance. The VMware "Certificate Management" tool doesn't allow one to upload a certificate and key. Instead, one has to generate a CSR in the VMware GUI which then gets submitted to the CA (IPA in this case). Unfortunately, the VMware tool refuses to generate a CSR that does not include an email address in its subject alternative names extension, and IPA refuses to issue a host or service certificate that includes an email address. Is it possible to create a certificate profile that will simply ignore the email address (i.e. not include it in the SAN of the issued certificate)? -- Ian PilcherSr. Principal Product Manager +1 469 892-8704 Red Hat Cloud Platforms ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Certificate profile to ignore (drop) email in SAN - possible?
I've hit a roadblock while trying to generate a certificate for a VMware vSphere appliance. The VMware "Certificate Management" tool doesn't allow one to upload a certificate and key. Instead, one has to generate a CSR in the VMware GUI which then gets submitted to the CA (IPA in this case). Unfortunately, the VMware tool refuses to generate a CSR that does not include an email address in its subject alternative names extension, and IPA refuses to issue a host or service certificate that includes an email address. Is it possible to create a certificate profile that will simply ignore the email address (i.e. not include it in the SAN of the issued certificate)? -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] dogtag-ipa-renew-agent-submit thundering herd
SHORT VERSION: I run IPA (4.8) on a low powered CentOS 7 system, and the thundering herd of dogtag-ipa-renew-agent-submit processes that certmonger spawns at startup appears to be causing issues. I'm looking for some way to limit the number of concurrent requests that certmonger spawns at startup. LONG VERSION: I just updated my CentOS 7 IPA server to 4.6.8-5.el7, and I noticed that getcert was showing some (but not all) of my certificates as CA_UNREACHABLE. (I noticed this when checking the system after the upgrade, but I don't actually know if the two are related.) # getcert list | grep status status: MONITORING status: MONITORING status: CA_UNREACHABLE status: CA_UNREACHABLE status: CA_UNREACHABLE status: MONITORING status: CA_UNREACHABLE status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING There's no obvious difference between the "unreachable" certificates and the others. For example: Request ID '20181001154020': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=CA Subsystem,O=PENURIO.US expires: 2021-04-04 15:55:04 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181001154023': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PENURIO.US subject: CN=Certificate Authority,O=PENURIO.US expires: 2033-07-22 21:47:43 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes I do see a bunch of dogtag-ipa-ca-renew-agent-submit errors in the log: Mar 26 10:07:56 asterisk.penurio.us dogtag-ipa-ca-renew-agent-submit[2575]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 507, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'PENURIO.US' The KDC (and everything else) appear to be running: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful I've been able to "fix" the certificate requests by running ipa-getcert resubmit on all of them. In doing so, I noticed (via top) that it seems to take several minutes for each request to complete, during which time CPU utilization is *very* high. (I honestly can't imagine what certmonger, dogtag, etc. are doing that requires so much CPU time to renew a certificate.) This leads me to believe that the root cause of my issue is the "thundering herd" of dogtag-ipa-renew-agent-submit processes that certmonger spawns at startup. It starts at least 30 instances of
[Freeipa-users] Trust external IPA?
At work, I manage a small lab that is used by my team (< 10 people). All lab users are currently managed in the lab FreeIPA, but we all use it extensively, so creating separate credentials for the lab isn't overly burdensome. We're now expanding the lab, and the number of users who may need access to it at some point is set to grow dramatically. Additionally, many of these people are likely to be "one shot" users; they will need access to some lab resources for a week or so and then not use it again for months. For these users, I would *really* like to avoid the usual user creation/password reset dance. Fortunately(?) all of these users already have credentials in our corporate IPA infrastructure. Is it possible to define users in the local IdM server that will use the corporate server for authentication? -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] IPA not starting at boot - how to enable?
I was overly casual with yum this morning, and almost removed all of the IPA-related RPMs from my server (CentOS 7). Fortunately, I was able to abort the transaction before too much damage was done. After (re)installing a couple RPMs, everything seems to be pretty much working. The exception is that the IPA services are not being started when the system boots (but everything comes up fine with 'ipactl start' later). Looking into this, I realize that I'm not even sure of the exact mechanism that IPA (4.6.8 on CentOS 7) normally uses to start. Looking at the various systemd units on my system (targets and services), I don't see anything that looks like an overall IPA unit, just the units for the individual services and a couple of targets (dirsrv.target and pki-tomcatd.target) that aren't enabled. It's very possible that I'm missing the package that provides the "master" target or service, but I don't know what it is. Anyone know? Thanks! -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA not starting at boot - how to enable?
On 4/9/22 12:48, Ian Pilcher wrote: Looking into this, I realize that I'm not even sure of the exact mechanism that IPA (4.6.8 on CentOS 7) normally uses to start. Looking at the various systemd units on my system (targets and services), I don't see anything that looks like an overall IPA unit, just the units for the individual services and a couple of targets (dirsrv.target and pki-tomcatd.target) that aren't enabled. Amazing how sending a question like this makes the answer appear. Looks like it's simply *ipa.service*, which I missed because 'systemctl list-units' doesn't show disabled services. -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Web UI thinks PEM-encoded CSR is Base64
On 10/27/23 10:05, Ian Pilcher wrote: I am attempting to generate a host certificate, but the FreeIPA web interface will not accept the PEM-encoded CSR. I am receiving the following error: IPA Error 4015: Base64DecodeError Base64 decoding failed: Incorrect padding The CSR is in PEM format, rather than Base64: -BEGIN CERTIFICATE REQUEST- MIHXMH8CAQEwHTEbMBkGA1UEAwwSZXQtMjgwMC5wZW51cmlvLnVzMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEH/Eg1/91MD611DkgngyafpnckA6Ki8yxrGl0tQ1s yi09mqW09bQMDvy8v/tRdKjpDeLwoZs6CE8z/O0CwY0x76AAMAoGCCqGSM49BAMC A0gAMEUCIQCr+k6iSKQslOT21u2RsOXtFdFMkO7qFghHYOSxbD0eNAIgZetAu95e 8AJSxJGMqQYRgC4r6hOWKMv1XVKf8Rf23Cw= -END CERTIFICATE REQUEST- Any ideas? Never mind. I'm an idiot. It's expecting a certificate, not a CSR, so of course it doesn't work. Sorry for the noise! -- If your user interface is intuitive in retrospect ... it isn't intuitive ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Web UI thinks PEM-encoded CSR is Base64
I am attempting to generate a host certificate, but the FreeIPA web interface will not accept the PEM-encoded CSR. I am receiving the following error: IPA Error 4015: Base64DecodeError Base64 decoding failed: Incorrect padding The CSR is in PEM format, rather than Base64: -BEGIN CERTIFICATE REQUEST- MIHXMH8CAQEwHTEbMBkGA1UEAwwSZXQtMjgwMC5wZW51cmlvLnVzMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEH/Eg1/91MD611DkgngyafpnckA6Ki8yxrGl0tQ1s yi09mqW09bQMDvy8v/tRdKjpDeLwoZs6CE8z/O0CwY0x76AAMAoGCCqGSM49BAMC A0gAMEUCIQCr+k6iSKQslOT21u2RsOXtFdFMkO7qFghHYOSxbD0eNAIgZetAu95e 8AJSxJGMqQYRgC4r6hOWKMv1XVKf8Rf23Cw= -END CERTIFICATE REQUEST- Any ideas? -- If your user interface is intuitive in retrospect ... it isn't intuitive ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Force early renewal of server certificate
It seems that Firefox has now started warning about certificates that don't include a subject alternative name. (Honestly, I had no idea that it wasn't already doing so; Chrome has been doing this for years.) My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS interface, so I would like to regenerate it. 1. Is it possible to use ipa-getcert to request an early renewal, or do I have to delete/recreate it? 2. This is a fully updated CentOS 7 system, running the included version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will it automatically include a SAN extension when it renews the server certificate (or issues a new one), or do I need to modify a certificate profile? 3. Related to the above, which profile should I use if I need to issue a completely new certificate - caIPAserviceCert? 4. Are any other steps necessary? I.e., if I have to delete and re- issue the certificate, do I need to update any other configuration files or directory records to reference the new certificate? Thanks! -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Where is root CA private key stored?
On 6/30/23 12:38, Rob Crittenden wrote: The CA is stored in the NSS database /etc/pki/pki-tomcat/alias. You can use pk12util to extract it into a PKCS#12, then extract that and you'll have the CA. This would keep the CA trust the same but with a fresh install you'd need new keytabs for any enrolled clients. FYI< I ran into an issue trying to re-use the root CA from the existing install. ipa-server-install won't accept the --external-cert-file option unless it's previously been run with --external-ca. And, of course, the pre-existing CA certificate and key don't match the CSR (and presumably the private key) that are used to create the CSR. I'm starting to suspect that it will be easier to just accept that I'm going to have to use a new root CA, rather than trying to re-use the old one. -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Do you want to search for missing reverse zones?
I am attempting to automate a FreeIPA installation (for troubleshooting purposes), and I cannot figure out how to get rid of this question. I have tried adding '--no-reverse' to the ipa-server-install command, but I am still getting the prompt. What option do I need to use? Thanks! -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Do you want to search for missing reverse zones?
On 7/21/23 11:33, Ian Pilcher wrote: I am attempting to automate a FreeIPA installation (for troubleshooting purposes), and I cannot figure out how to get rid of this question. I have tried adding '--no-reverse' to the ipa-server-install command, but I am still getting the prompt. What option do I need to use? Never mind. Cut-n-paste line break error. -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA on Fedora and dnf system-upgrade
I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora. On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system. How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above? -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA on Fedora and dnf system-upgrade
I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora. On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system. How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above? -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA on Fedora and dnf system-upgrade
I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora. On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system. How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above? -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Where is root CA private key stored?
(Hopefully Thunderbird will only send one copy of this. Sorry about the previous duplicate.) I run a single FreeIPA server (on CentOS 7) in my home network, and I'm thinking of migrating it to Fedora. AFAICT, doing this as an actual upgrade will require multiple cycles of creating a newer FreeIPA server, adding it as a replica, removing the older server, lather, rinse, repeat. I'm only using FreeIPA for its DNS, certificate authority, and LDAP authentication capabilities, and my home network isn't that large, so I'm considering simply installing a new server and re-creating the various users, hosts, services, and DNS zones/entries. (I don't have any systems that are truly managed with FreeIPA.) Thus, it would be nice if the new FreeIPA server could use the same root CA certificate as the existing one. I believe that I can do this by passing the --external-cert-file option to ipa-server-install, but I need both the certificate and the private key of the root CA to do so. Thus, I'm wondering how I can extract the root CA private key from my existing CentOS 7 (FreeIPA 4.6.8) server. Thanks! -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Where is root CA private key stored?
On 6/30/23 12:38, Rob Crittenden wrote: The CA is stored in the NSS database /etc/pki/pki-tomcat/alias. You can use pk12util to extract it into a PKCS#12, then extract that and you'll have the CA. This would keep the CA trust the same but with a fresh install you'd need new keytabs for any enrolled clients. Perfect. Thanks! -- Google Where SkyNet meets Idiocracy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
