Hi evrybody,
With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi and
HP ILO certificates to my FreeIPA server.
I create csr with the following command: "openssl req -new -sha256 -nodes
-config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr"
My OpenSSL configuration
On 07/28/2017 07:56 PM, Jake via FreeIPA-users wrote:
All I see are responses like yours, how about a link or add it to the
documentation since it's such a problem?!
if the ruvs cannot be decoded, the ipa command line utility does not
work, you have to execute a plain cleanallruv task, an exam
I did answer your same question on June,2nd
On 07/29/2017 05:09 PM, pgb205 via FreeIPA-users wrote:
we are affected by the CSN time skew bug discussed in this wiki
http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html#so-how-does-the-time-skew-grow-at-all
and
h
On Fri, Jul 28, 2017 at 9:27 PM, Rob Crittenden via FreeIPA-users
wrote:
> John Trump via FreeIPA-users wrote:
>> I am using FreeIPA 4.4 and have implemented a password policy where
>> password history is set to 24. If a password admin or the user "admin"
>> resets a users password, the user is fo
On Sun, Jul 30, 2017 at 6:53 PM, Ian Harding via FreeIPA-users
wrote:
> I had an unexpected restart of an IPA server that had apparently had
> updates run but had not been restarted. ipactl says pki-tomcatd would
> not start.
>
> Strangely, the actual service appears to be running:
>
> [root@seat
On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
Hello Florence,
I have checked the output for the ldapsearch command and I can see the
IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my
IPA Server.
Even I tried installing the client by giving the option ca-cer
The entry is present on both master, and replica. Also, the status on
replica for those two has changed to *'ca-error: Invalid cookie: '''*. The
certs listed by certutil on both systems, as well as the ones listed by the
ldap query seem to match. When I try to resubmit, there is also this
message i
Hello Florence,
> the tool ipa-cacert-manage is used to renew IPA CA certificate, not the
> https certificate. It is a common mistake (IPA CA certificate is the
> certificate authority that has delivered the https and ldaps certificates).
Yes
> But now that you have renewed the CA certifica
Any ideas on this? Everything appears to be in order, yet there is a disparity
between the master and replica on the host count.
On Jul 25, 2017, at 09:11, Grant Janssen
mailto:grant.jans...@efilm.com>> wrote:
grant@ef-idm02:~[20170725-9:05][#56]$ ipa_check_consistency -d
PRODUCTION.EFILM.COM
I agree with what Fraser says. Non-expired certs (revoked or not)
should never be removed from the CA repository as that will affect the CRL
I believe someone asked about this before, and we also warned them about
that. Though I have no recollection how it worked out for them in the
end. Yo
Per Qvindesland via FreeIPA-users wrote:
> Hi All
>
> I installed a custom signed certificate from quovadis, the install on the ipa
> server wen’t fine but when I try to add a client (centos 6) it gives error:
> LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been
> mark
Ian Harding via FreeIPA-users wrote:
> I had an unexpected restart of an IPA server that had apparently had
> updates run but had not been restarted. ipactl says pki-tomcatd would
> not start.
>
> Strangely, the actual service appears to be running:
>
dogtag is an application within tomcat so t
Mikaël ANDRE via FreeIPA-users wrote:
> Hi evrybody,
>
> With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi
> and HP ILO certificates to my FreeIPA server.
> I create csr with the following command: "openssl req -new -sha256
> -nodes -config openssl.cfg -newkey rsa:2048 -keyout
Prasun Gera via FreeIPA-users wrote:
> The entry is present on both master, and replica. Also, the status on
> replica for those two has changed to *'ca-error: Invalid cookie: '''*.
> The certs listed by certutil on both systems, as well as the ones listed
> by the ldap query seem to match. When I
On 07/24/2017 10:25 PM, Fraser Tweedale wrote:
Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log
file (ideally the whole thing)?
Also to clarify: ``ipa-replica-install --setup-ca'' installs a new
replica including the CA role. To install the CA role on an
existing replica use
Ludwig,
what about this 'fix'
https://bugzilla.redhat.com/show_bug.cgi?id=1009122
won't the setting of nsslapd -ignore-time-skew==on effectively solve the issue?
IE on the down server edit the value in /etc/dirsrv/slapd-DOMAIN/dse.ldif to
nsslapd-ignore-time-skew=on
and then try to bring up
Bull-eye Jakub, that did the trick. I should have posted for help on the
mailing list sooner. Thanks you so much, you are saving my ass.
It makes sense to increase the krb5_auth_timeout as my AD domain
controllers servers are worldwide. Currently they exist in 3 regions: North
America, Europe and
I've been trying to get this to work for a few days now all to no avail...
I'm been running "FreeIPA, version: 4.3.1" for a few months now to authenticate
a number of VMs that I grew tired of managing permissions on a individual basis
and so far have been very pleased.
Now, I'm attempt to use th
I've been trying to get this to work for a few days now all to no avail...
I'm been running "FreeIPA, version: 4.3.1" for a few months now to
authenticate a number of VMs that I grew tired of managing permissions on a
individual basis and so far have been very pleased.
Now, I'm attempting to use t
On 07/31/2017 11:34 AM, Rob Crittenden wrote:
Ian Harding via FreeIPA-users wrote:
I had an unexpected restart of an IPA server that had apparently had
updates run but had not been restarted. ipactl says pki-tomcatd would
not start.
Strangely, the actual service appears to be running:
dog
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving sch
Hi Florence,
Thanks for your update.
Tried copying the ca.crt file to /et/ipa and the installation went fine.
Thanks and Regards,
Alka Murali
On Mon, Jul 31, 2017 at 3:58 PM, Florence Blanc-Renaud
wrote:
> On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
>
>> Hello Florence,
>>
>>
They are published, or at least it would seem that way. These were my
queries:
ldapsearch -h ipa_master -x -D 'cn=directory manager' -b cn="subsystemCert
cert-pki-ca",cn=ca_renewal,cn=ipa,cn=etc,dc= -W
ldapsearch -h ipa_replica -x -D 'cn=directory manager' -b cn="subsystemCert
cert-pki-ca",cn=ca_re
Grant,
>Any ideas on this? Everything appears to be in order, yet there is a
>disparity between the master and replica on the host count.
>On Jul 25, 2017, at 09:11, Grant Janssen wrote:
What's going on with DNS on these two hosts? Are they pointing to the same DNS
server? Are there kerb
On 07/31/2017 10:45 PM, pgb 205 via FreeIPA-users wrote:
Ludwig,
what about this 'fix'
https://bugzilla.redhat.com/show_bug.cgi?id=1009122
won't the setting of nsslapd -ignore-time-skew==on effectively solve the issue?
IE on the down server edit the value in /etc/dirsrv/slapd-DOMAIN/dse.ldif
On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote:
> Bull-eye Jakub, that did the trick. I should have posted for help on the
> mailing list sooner. Thanks you so much, you are saving my ass.
>
> It makes sense to increase the krb5_auth_timeout as my AD domain
> controllers servers a
26 matches
Mail list logo