Re: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1
On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjowrote: > hi, > > In a test network I followed the procedure especified in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > to migrate from a centos 6.7 ipa server to a new centos 7 ipa server. > > Everything went fine, I shutdown the centos 6.7 host and i can kinit to > the test realm like before with everything being handled by the centos 7.1 > ipa server. > > Unfortunately, firefox is not loading the web ui with the message: > > An error occurred during a connection to kdc2.unix.domain.tld. The OCSP > server experienced an internal error. (Error code: > sec_error_ocsp_server_error) > > > Chrome works fine, it does not query the ocsp responder apparently. If I > turn off the ocsp queries in firefox, everything works. > > So how can I troubleshoot this? I have turned off the firewall in the > centos 7.1 hosts, selinux is permissive. > ok, so I found something: $ openssl s_client -connect kdc2.unix.domain.tld:443 | openssl x509 -noout -text | grep -i ocsp OCSP - URI:http://kdc1.unix.domain.tld:80/ca/ocsp so it's pointing to the centos 6.7 box, and that one is gone. That's why it's not working. Shouldn't the certificates be modified or recreated when decommissioning replicas? I must have done something wrong when decommissioning the server ... Anyway, I created an A record for kdc1 pointing to kdc2 and now it's working, but I wonder if this is the 'right' approach. -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1
hi, In a test network I followed the procedure especified in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html to migrate from a centos 6.7 ipa server to a new centos 7 ipa server. Everything went fine, I shutdown the centos 6.7 host and i can kinit to the test realm like before with everything being handled by the centos 7.1 ipa server. Unfortunately, firefox is not loading the web ui with the message: An error occurred during a connection to kdc2.unix.domain.tld. The OCSP server experienced an internal error. (Error code: sec_error_ocsp_server_error) Chrome works fine, it does not query the ocsp responder apparently. If I turn off the ocsp queries in firefox, everything works. So how can I troubleshoot this? I have turned off the firewall in the centos 7.1 hosts, selinux is permissive. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install --request-cert fails
hi, on a a centos 7.1 host when enrolling it with (among other) the switch --request-cert it does not create a host certificate for it. The host is properly joined but not certificate is present. In the ipaclient-install.log file I see this: 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed but no other clue as to what went wrong. How can I troubleshoot this? Thanks! -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] add SubjectAltName (SAN) to IPA certificate
Due to the bug in mod_nss that prevents SNI from functioning (i.e. limits a port to a single certificate) I need to add SANs (SubjectAltName) to the certificate that freeipa created for the webserver (Server-Cert) so that I can add more virtual hosts to the same Apache instance (yes, I know this is not advised but budgetary constraints are at play here). How do I go about that? Do I want to resubmit the certificate request with some -D alt.name1 -D alt.name2, etc. parameters as such: # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 Is that the correct operation? If so, is there anything more I need to do after that? Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install --request-cert fails
On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjowrote: > hi, > > on a a centos 7.1 host when enrolling it with (among other) the switch > --request-cert it does not create a host certificate for it. The host is > properly joined but not certificate is present. > > In the ipaclient-install.log file I see this: > > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed > it's not working when joining a centos 6.7 realm either, same error. -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project