Re: [Freeipa-users] Ipa cert automatic renew Failing.

2017-01-01 Thread Rob Crittenden 
Lucas Diedrich wrote:
> OK!, i got it, i just executed the second script:
> 
> "sudo /usr/libexec/ipa/certmonger/renew_ra_cert "subsystemCert
> cert-pki-ca"", and fixed that problem, there another script called
> renew_ra_cert_pre, should i run this too?

No, it should be run BEFORE renew_ra_cert, but since that has executed
successfully there is no point.

rob

> 
> Thanks.
> 
> Em seg, 26 de dez de 2016 às 17:26, Lucas Diedrich
> > escreveu:
> 
> Florence, at first i thought the problem was fixed, but it wasn't
> complety.
> 
> So now, i'm at the CA Master, and when i try to see some
> certificates it prompts me this "[root@ipa2 ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION
> (Invalid Credential.)
> "
> The same thing show over the Web Interface, i searched a little bit
> and found that probably it didn't updated the *ipara* user, but
> can't confirm that, any sugestions?
> 
> Thanks,
> 
> Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud
> > escreveu:
> 
> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is
> different
> > from subsystem certs, and this pkidbuser is outdated now, but
> i can't
> > manage one way to re-issue it. I had to change the CA server
> because of
> > that, and the Selinux in the old CA Server was disabled, on
> the new one
> > is in Permissive mode but doesn't a warning in
> /var/log/audit/audit.log.
> >
> > This is the pkidbuser cert:
> https://paste.fedoraproject.org/511023/24084431/
> > This is the subsystem cert:
> https://paste.fedoraproject.org/511025/14824085/
> > The ca.subsystem.cert matches the pkidbuser cert.
> >
> > lucasdiedrich.
> >
> Hi,
> 
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> /etc/pki/pki-tomcat/alias:
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
> 
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert[6478]: Updating entry
> uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Updating entry
> uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Starting pki_tomcatd
> [...] renew_ca_cert[6478]: Started pki_tomcatd
> 
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
> 
> HTH,
> Flo.
> 
> > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> >   >> escreveu:
> >
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my
> server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273).
> Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this
> problem the CA
> > > Master certificates couldn't be renewd, so now i
> promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636
> Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this,
> anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> >
> > Pki-tomcat is using the LDAP server as a data store,
> meaning that it
>

Re: [Freeipa-users] IPA Client not able to remove

2017-01-01 Thread Rob Crittenden 
tarak sinha wrote:
> Hi FreeIPA Team,
> 
>  
> 
> I am not able to remove the IPA client host entry from Web UI and
> command line as well. While trying to add it’s showing “Host is already
> exist”. Please give me some suggestion to get rid if this issue.
> 
>  
> 
> #ipa host-del xxx.example.com  --updatedns
> 
> ipa: ERROR: xxx.example.com : host not found
> 
> #ipa host-show xxx.example.com 
> 
> ipa: ERROR: xxx.example.com : host not found

It sounds like it is a replication conflict entry. You can confirm by
doing something like 'ipa host-find xxx.example.com --all' and look at
the DN. If it has nsuniqueid in the DN then it is a conflict entry. See
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
but given you want to remove it you can do so via ldapdelete.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Client not able to remove

2017-01-01 Thread tarak sinha 
Hi FreeIPA Team,



I am not able to remove the IPA client host entry from Web UI and command
line as well. While trying to add it’s showing “Host is already exist”.
Please give me some suggestion to get rid if this issue.



#ipa host-del xxx.example.com --updatedns

ipa: ERROR: xxx.example.com: host not found

#ipa host-show xxx.example.com

ipa: ERROR: xxx.example.com: host not found






*Thanks,*

*Tarak Nath Sinha*

*Mobile: **+91 8197522750*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project