[Freeipa-users] How to make a FreeIPA node replica become Master?

Hi, We have a deployment of FreeIPA using 3 nodes (Master with more 2 replicas). Recently, the master node had a problem with the process 'ns-slapd' consuming 100% of CPU. During this problem, DNS service wasn't working, IPA admin UI encountered timeout, SSH keys to access the hosts are not being

Re: [Freeipa-users] About AllowGroups with sshd

On (14/09/16 08:37), Jose Alvarez R. wrote: >Hi Jakub > >Thanks for your response. It's an option, but my backups servers I will not >add to the FreeIPA server. > >Then, I cannot use the option HBAC, because I want my backup server can >connect with root to some client server of my FreeIPA

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Here is what I found : In the catalina.out : ### May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw exception java.io.IOException: CS server is not ready to serve. at

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

I tried also the following commands : ### # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service:

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote: On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote: On 9/9/2016 2:46 PM, Georgios Kafataridis wrote: I've tried that but still the same result. [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h localhost -b

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Sorry Martin, This is not the first time I forgot to add back freeipa users. I have problems with gmail, again sorry. Indeed I figured out that I had to restart the ipa server. So I tried to restart ipa server. But it was not working yet. So I thought it was maybe due to the configuration I

Re: [Freeipa-users] [E] Migration Question

Ok. Thank you very much for the information. Jeff From: Giger, Justean [mailto:jgi...@verizon.com] Sent: Wednesday, September 14, 2016 11:18 AM To: Armstrong, Jeffrey ; freeipa-users@redhat.com Subject: Re: [E] [Freeipa-users] Migration Question *External E-Mail*

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Please keep freeipa-users in CC, I'm quite lost here ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). I'm not sure what this does mean, but if this is caused by

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

did you restart IPA when you moved time? Is there are more detailed error description in output of getcert list? On 14.09.2016 18:45, bahan w wrote: I set the date-time when the certificates were valid : ### # date -s '2016-05-27 10:00:00' Fri May 27 10:00:00 CEST 2016 # date Fri May 27

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

I set the date-time when the certificates were valid : ### # date -s '2016-05-27 10:00:00' Fri May 27 10:00:00 CEST 2016 # date Fri May 27 10:00:02 CEST 2016 ### Then I try to renew them : ### # getcert resubmit -i 20140528063919 Resubmitting "20140528063919" to "IPA". # getcert resubmit -i

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Please keep freeipa-users in CC, there si no sensitive information in getcert list output (you sanitized it) Folowing certificates are expired, please try to to resubmit them. I'm also worried about this error message: ca-error: Error setting up ccache for local "host" service using

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Then you have to start services manually, I don't know if the same steps will work with IPA 3.0.0, I don't remember, but you can try :) On 14.09.2016 18:18, bahan w wrote: Oh I forgot to add that my version of ipa is quite old : ### # rpm -qa | grep ipa-server ipa-server-3.0.0-25.el6.x86_64

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Oh I forgot to add that my version of ipa is quite old : ### # rpm -qa | grep ipa-server ipa-server-3.0.0-25.el6.x86_64 ### When I try the command you gave me I got the following error : ### # ipactl start --force Usage: ipactl start|stop|restart|status ipactl: error: no such option: --force

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

On 14.09.2016 17:59, bahan w wrote: Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23

[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23 +0200] - SSL alert:

Re: [Freeipa-users] [E] Migration Question

We did the same and have had zero issues. In fact, one overzealous colleague moved one out of our 5 IDM servers to Oracle while all the others were still on Red Hat and things still worked. I have not tried to get support for IDM with Oracle though so not sure how that goes. From:

Re: [Freeipa-users] About AllowGroups with sshd

Hi Jakub Thanks for your response. It's an option, but my backups servers I will not add to the FreeIPA server. Then, I cannot use the option HBAC, because I want my backup server can connect with root to some client server of my FreeIPA Server. If I'm doing something wrong, please let me know

[Freeipa-users] Migration Question

Hi My company is migrating from RedHat Linux to Oracle Linux. I warned them that IdM could be a problem. Does anyone know If IPA works after the migration? Jeff Armstrong -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

This may be resolved already, but just in case it's helpful: On 09/13/2016 11:26 AM, Rob Crittenden wrote: Natxo Asenjo wrote: hi, On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden > wrote: Natxo Asenjo wrote: hi, I can

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

Hi, On 09/13/2016 07:37 PM, Rakesh Rajasekharan wrote: Hi All, Have finally made some progress with this.. after changing the checkpoint interval to 180, my hangs have gone down now.. However, I faced a similar hang yesterday... users were not able to login.. , though this time the ns-slapd

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

hi, On Tue, Sep 13, 2016 at 9:36 PM, Endi Sukma Dewata wrote: > On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote: > >> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote: >> >>> I've tried that but still the same result. >>> >>> [root@ipa-server /]# ldapsearch -D "cn=directory