Re: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

2015-09-12 Thread Natxo Asenjo 
On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo 
wrote:

> hi,
>
> In a test network I followed the procedure especified in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
> to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.
>
> Everything went fine, I shutdown the centos 6.7 host and i can kinit to
> the test realm like before with everything being handled by the centos 7.1
> ipa server.
>
> Unfortunately, firefox is not loading the web ui with the message:
>
> An error occurred during a connection to kdc2.unix.domain.tld. The OCSP
> server experienced an internal error. (Error code:
> sec_error_ocsp_server_error)
>
>
> Chrome works fine, it does not query the ocsp responder apparently. If I
> turn off the ocsp queries in firefox, everything works.
>
> So how can I troubleshoot this? I have turned off the firewall in the
> centos 7.1 hosts, selinux is permissive.
>

ok, so I found something:

 $ openssl s_client -connect kdc2.unix.domain.tld:443 | openssl x509 -noout
-text | grep -i ocsp
OCSP - URI:http://kdc1.unix.domain.tld:80/ca/ocsp

so it's pointing to the centos 6.7 box, and that one is gone. That's why
it's not working.

Shouldn't the certificates be modified or recreated when decommissioning
replicas? I must have done something wrong when decommissioning the server
...

Anyway, I created an A record for kdc1 pointing to kdc2 and now it's
working, but I wonder if this is the 'right' approach.


-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

2015-09-12 Thread Natxo Asenjo 
hi,

In a test network I followed the procedure especified in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.

Everything went fine, I shutdown the centos 6.7 host and i can kinit to the
test realm like before with everything being handled by the centos 7.1 ipa
server.

Unfortunately, firefox is not loading the web ui with the message:

An error occurred during a connection to kdc2.unix.domain.tld. The OCSP
server experienced an internal error. (Error code:
sec_error_ocsp_server_error)


Chrome works fine, it does not query the ocsp responder apparently. If I
turn off the ocsp queries in firefox, everything works.

So how can I troubleshoot this? I have turned off the firewall in the
centos 7.1 hosts, selinux is permissive.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install --request-cert fails

2015-09-12 Thread Natxo Asenjo 
hi,

on a a centos 7.1 host when enrolling it with (among other) the switch
--request-cert it does not create a host certificate for it. The host is
properly joined but not certificate is present.

In the ipaclient-install.log file I see this:

2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed

but no other clue as to what went wrong.

How can I troubleshoot this?

Thanks!

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-12 Thread Brian J. Murrell 
Due to the bug in mod_nss that prevents SNI from functioning (i.e.
limits a port to a single certificate) I need to add SANs
(SubjectAltName) to the certificate that freeipa created for the
webserver (Server-Cert) so that I can add more virtual hosts to the
same Apache instance (yes, I know this is not advised but budgetary
constraints are at play here).

How do I go about that?  Do I want to resubmit the certificate request
with some -D alt.name1 -D alt.name2, etc. parameters as such:

# ipa-getcert resubmit -i  -D alt.name1 -D alt.name2

Is that the correct operation?  If so, is there anything more I need to
do after that?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-12 Thread Natxo Asenjo 
On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo 
wrote:

> hi,
>
> on a a centos 7.1 host when enrolling it with (among other) the switch
> --request-cert it does not create a host certificate for it. The host is
> properly joined but not certificate is present.
>
> In the ipaclient-install.log file I see this:
>
> 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed
>

it's not working when joining a centos 6.7 realm either, same error.

-- 
regards,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project