Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh
, Jul 21, 2016 at 12:23 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> The httpd_error log doesn't contain the part where `ipa cert-show 1` was >> run. If it is from the same time. >> >> *I am not sure about that, please see httpd_err

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh
, Linov Suresh <linov.sur...@gmail.com> wrote: > I'm facing another issue now, my kerberos tickets are not renewing, > > *[root@caer ~]# ipa cert-show 1* > ipa: ERROR: Ticket expired > > *[root@caer ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default princip

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh
I agree with you Jakub, I will start separate thread for separate issues. On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > > I'm facing another issue now, my kerberos tickets a

[Freeipa-users] Could not find cert: Signing-Cert : File not found

2016-07-25 Thread Linov Suresh
We are using CentOS 6.4/FreeIPA 3.0.0 LDAP/Apache certificates were expired and when we tried to renew, we found Signing-Cert is missing. # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not find cert: Signing-Cert : File not found How do we recreate Signing-Cert certificate?

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

2016-07-25 Thread Linov Suresh
We were not sure that Signing-Cert required for LDAP/Apache certificates renewal. Thank you very much for your update Rob. We are going to renew the certificates without Signing-Cert. On Mon, Jul 25, 2016 at 6:08 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh
9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true>"*." goes away? On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> Could you please verify, if we have set correct trust attributes on the >> cert

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-26 Thread Linov Suresh
9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true>"*." gone this time. Thanks for your help. We have a master replica also, *how do we renew the replica server*? On Fri, Jul 22, 2016 at 3:36 PM, Linov Suresh <linov.sur...@gmail.com> wrote: > Thank you very much

[Freeipa-users] Replica install fails when using --setup-ca

2016-07-26 Thread Linov Suresh
I tried to create master replica using the option --setup-ca, it failed, because of "Your system may be partly configured." Please note we use different ipa package for master and replica. master: [root@caer ~]# rpm -q ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 replica: [root@neit-lab01 ~]#

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

2016-07-26 Thread Linov Suresh
ons/962373 ? On Mon, Jul 25, 2016 at 6:17 PM, Linov Suresh <linov.sur...@gmail.com> wrote: > We were not sure that Signing-Cert required for LDAP/Apache certificates > renewal. Thank you very much for your update Rob. We are going to renew the > certificates without Signing-Cert. > >

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-20 Thread Linov Suresh
=63=true=true>".* On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> Thanks for your help Rob, I will create a separate thread for IPA >> replication issue. But we are still getting >> * >> * >&

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-21 Thread Linov Suresh
2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 07/21/2016 05:14 PM, Linov

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-18 Thread Linov Suresh
! Linov Suresh 70 Forest Manor Rd. Toronto ON M2J 0A9 Mobile: +1 647 406 9438 Linkedin: ca.linkedin.com/in/linov/ Website: http://mylinuxthoughts.blogspot.com On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 07/18/2016 05:45 AM, Lin

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-18 Thread Linov Suresh
rtmonger/restart_dirsrv " TELOIP.NET" track: yes auto-renew: yes On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.sur...@gmail.com> wrote: > Yes, PKI is running and I don't see any errors in selftests, I have > followed https://access.redhat.com/solutions/64

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-17 Thread Linov Suresh
ELOIP.NET" track: yes auto-renew: yes [root@caer ~]# Your help is highly appreciated! On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> I logged into my IPA master, and found that the cert h

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Linov Suresh
now, and is affected our production environment. Pleas help us. On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.sur...@gmail.com> wrote: > We have cloned and created another virtual server from the template. > Surprisingly this server certificates were also expired at t

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Linov Suresh
, Jul 18, 2016 at 12:37 PM, Linov Suresh <linov.sur...@gmail.com> wrote: > *Update: my webserver and LDAP certificates were expired at 2016-07-18 > 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* > > > *Could you please help us? * > > [root@caer

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Linov Suresh
--uninstall to clean up. Configuration of CA failed [root@neit-lab ~]# I did a clean up using /usr/sbin/ipa-server-install --uninstall but it wasn't helpful. Wondering if you can help us on this, On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Sur

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-20 Thread Linov Suresh
this new problem so we can keep the > issues separated? > > IPA gets little information back when dogtag fails to install. You need to > look in /var/log//debug for more information. The exact location > depends on the version of IPA. > > rob > > Linov Suresh wrote: > >>

[Freeipa-users] IPA Replication failed: Your system may be partly configured. Run ipa-server-install --uninstall to clean up. Configuration of CA failed

2016-07-20 Thread Linov Suresh
I was trying to replicate our IPA server which is running on CentOS6.4, FreeIPA 3.0 and I got an error, *Your system may be partly configured.* *Run /usr/sbin/ipa-server-install --uninstall to clean up.* *Configuration of CA failed* I ran /usr/sbin/ipa-server-install --uninstall couple of times

[Freeipa-users] IPA certificates expired, please help!

2016-07-15 Thread Linov Suresh
I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after

[Freeipa-users] IPA certificates expired, please help!

2016-07-18 Thread Linov Suresh
gbi/9WbKSZgNl58L16zgwnZ0pnndDcNf/FXwwRKP wm1YBfh+UyydiHHl/swLyV84vOXr -END CERTIFICATE- Your help is highly appreciated. Regards, Linov Suresh. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

2016-08-15 Thread Linov Suresh
modifying entry "fqdn=cpe-5061747522f9.example.net ,cn=computers,cn=accounts,dc=example,dc=net" Could you please help us to fix this? Appreciate your help in advance, Linov Suresh. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listin

[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

2016-08-05 Thread Linov Suresh
We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured with --setup-ca option) and replica- ipa02 (configured without --setup-ca) option. We use a script ipa clients to the server, when we tried to add new ipa clients, we are getting error, *ipa: ERROR: Insufficient access:

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

2016-08-25 Thread Linov Suresh
I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 is missing on both master and replica servers. Do we need to add IPA server 2, ipa02 on both master and replica? *[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net -b

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

2016-08-25 Thread Linov Suresh
Great! That worked. Thank you so much Rob. Your help is highly appreciated. On Thu, Aug 25, 2016 at 3:49 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 >> is missing on

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

2016-08-24 Thread Linov Suresh
wrote: > On 08/16/2016 09:25 AM, Petr Spacek wrote: > > On 15.8.2016 20:18, Linov Suresh wrote: > >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0 > >> > >> > >> We can only add the clients from IPA Server 01, not from IPA Server 02. > >