On Thu, Aug 03, 2017 at 06:09:22AM +1000, Fraser Tweedale wrote:
> On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote:
> > On 08/02/2017 07:25 AM, Fraser Tweedale wrote:
> > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote:
> > > >
> > > > Providing the dogtag debug log
On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote:
> On 08/02/2017 07:25 AM, Fraser Tweedale wrote:
> > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote:
> > >
> > > Providing the dogtag debug log might be helpful. The replica install log
> > > shows that the GoDaddy CA
On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote:
> I'm playing around with keycloak and wanted to use an SSL certificate
> from IPA. I've looked around but didn't see any howto about using java
> keytool with ipa-getcert. Has someone experience with it?
On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote:
> john.bowman--- via FreeIPA-users wrote:
> > Since taking over our FreeIPA environment I've been unable to create a new
> > CA replica. A bunch of failed attempts and upgrades over the last year and
> > I keep running in to
On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote:
> Mark Haney via FreeIPA-users wrote:
> > On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote:
> >> you can connect to IPA web UI on the server to revoke the cert:
> >> https://server.ipadomain.com/ipa/ui, then navigate to
On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
> My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by
> an external root CA. Problem:
> Even though I have imported the root CA and clicked on all the trust
> checkboxes, chromium
On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote:
> On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote:
> > Hi Fraser,
> > On Fri, 11 Aug 2017 18:48:29 +1000
> > Fraser Tweedale via FreeIPA-users <email@example.com>
On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote:
> Hi Fraser,
> Thanks for the reply.
> However I have both my IPA CA and third party CA, where IPA CA is self
> signed and third party CA Signed by DigiCert. So if my SSL certificate is
> going to expire next
On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote:
> I am using the embedded CA For FreeIPA as well as external CA Signed by
> Digicert. However, the certificate will be expiring next month.
> After renewal, do I need to install the certificate again
On Thu, Jul 13, 2017 at 09:57:04AM -0400, Mark Haney via FreeIPA-users wrote:
> On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
> > Which version(s) of FreeIPA?
> > Which service(s) (HTTP, LDAP?).
> HTTPS. I haven't checked LDAPS yet. It appears
On Thu, Jul 13, 2017 at 08:20:02AM -0400, Jeff Fouchard via FreeIPA-users wrote:
> The certificates are being issued via ipa-getcert. The certificates we get
> back are signed with what looks to be the old "self-signed" IPA CA
> certificate. The CN is the same as the new one, but the serial /
On Thu, Jul 13, 2017 at 03:02:02PM +, Charles Hedrick via FreeIPA-users
> I’ve installed ipa. Originally I did the default install, without DNS.
> I then updated to a commercial cert. Notes at the end.
> I just did a yum update. isa-upgrade failed with the following error:
On Mon, Jul 17, 2017 at 08:41:26AM -0400, Prasun Gera wrote:
> Bumping this for help. I need to renew my replica's SSL certificate which
> will expire in a month, but I can't find any instructions. It looks like
> the replica's web-ui cert isn't tracked by the master or the replica. I'm
> using a
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
> I am using FreeIPAv4, some of clients products does not support LDAP failover
> so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream
> I have two FreeIPA server
On Thu, Jul 13, 2017 at 10:57:59AM +1000, Fraser Tweedale wrote:
> On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> > Hello,
> > I'm getting desperate, I'm still unable to fix my expired certificates on
> > my freeIPA master.
> > Summary:
> >- I
Yes. Yikes. Karl, I already replied to your earlier thread, but
`ipa-cacert-renew` was not the right command to run.
On Wed, Jul 12, 2017 at 09:38:44AM +, Callum Guy via FreeIPA-users wrote:
> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the
On Wed, Jul 12, 2017 at 01:20:36PM -0400, Mark Haney via FreeIPA-users wrote:
> I'm really new to FreeIPA, and this is probably a stupid question, but I
> just setup a replica of the primary (not in production) IPA server we have.
> However, the replica's SSL cert is untrusted, while the primary
On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> I'm getting desperate, I'm still unable to fix my expired certificates on
> my freeIPA master.
>- I discovered that my web ui SSL certificate had expired.
>- the certificate
On Thu, Jul 13, 2017 at 10:55:39AM +0200, Karl Forner wrote:
> > To recover from this situation you should reinstall the old CA
> > certificate via ipa-cacert-manage. If you can't find a copy of that
> > lying around you should (for a self-signed IPA CA) be able to
> > retrieve it
On Mon, Jul 17, 2017 at 10:18:40AM -0400, Mark Haney wrote:
> On 07/17/2017 09:27 AM, Fraser Tweedale wrote:
> > https://tools.ietf.org/html/rfc6125#section-7.2
> > This document states that the wildcard character '*' SHOULD NOT
> > be included in presented identifiers but MAY
On Mon, Jul 17, 2017 at 02:06:36PM -0400, Prasun Gera wrote:
> Hi Fraser,
> I ran that command on the replica (which is where it needs to be run, right
> ? ), and it finished without any error. However, when I called ipa-getcert
> list, it shows an error:
> Request ID '20170717180008':
On Fri, Jul 14, 2017 at 07:47:39AM -0400, Mark Haney via FreeIPA-users wrote:
> On 07/13/2017 09:57 PM, Fraser Tweedale wrote:
> > OK, I think I understand.
> > ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
> > set up with a certificate issued by the IPA CA, which your
On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users wrote:
> Prior to my employment, one of our engineers setup an IPA server to replace
> the horrific OpenLDAP server. One of my first tasks was to build a second
> IPA server and setup replication. Initially, the replication
On Wed, Jul 19, 2017 at 05:31:20AM -0400, Prasun Gera wrote:
> Thank you, Fraser. That works. I also added the post-script command
> "/usr/libexec/ipa/certmonger/restart_httpd". Upon comparing with the
> master, there are quite a few certs that are tracked on the master, and
> none on the replica.
On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote:
> Hello all,
> we are currently facing issue with huge number of outdated certificate entries
> in o=ipaca LDAP subtree (many servers no longer exists, certificates already
> expired etc)
> and we would like to remove
On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote:
> Michael Gusek via FreeIPA-users wrote:
> > Hi Fraser,
> > at the moment, i can't provide this logfile, i've moved that back to
> > have only new log lines. But a new new logfile is not created ??? In my
> > old logfile i have
On Tue, Aug 08, 2017 at 01:52:40PM +0200, Michael Gusek via FreeIPA-users wrote:
> we run in a problem with expired certificates:
> > getcert list (sample show only one expired certificate)
> Request ID '20170202144747':
> status: MONITORING
> stuck: no
> key pair
On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote:
> On 08/02/2017 04:17 PM, Fraser Tweedale wrote:
> > > - /var/log/ipareplica-install.log from replica
> > > - /etc/pki/pki-tomcat/ca/debug from both master and replica
> > >
> > > Those logs should do for a start.
> > >
> > > I'd
On Fri, Aug 18, 2017 at 05:28:12PM +1000, Fraser Tweedale wrote:
> Hi Stefan et al,
> It's hard to work out exactly what's going on.
> First make sure that all certificates including the IPA CA
> certificate are within their validity period. Make sure that CA
> certificate(s) have the
Hi Stefan et al,
It's hard to work out exactly what's going on.
First make sure that all certificates including the IPA CA
certificate are within their validity period. Make sure that CA
certificate(s) have the correct trust flags in the /etc/httpd/alias
certutil -d /etc/httpd/alias
On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote:
> I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed
> with --external-ca, and the resulting CSR signed with a validity period of
> 30 days to test behavior around expirations.
> Upon booting
On Thu, May 25, 2017 at 01:39:46PM +0200, Günther J. Niederwimmer via
> after the mistake with Startcom CA (Class 3), now I look for a new
> Is it possible and functional to install a Letsencrypt CA on a IPA-Server?
> I have found a script
On Thu, May 25, 2017 at 10:59:11AM -0400, Rob Foehl via FreeIPA-users wrote:
> On Thu, 25 May 2017, Fraser Tweedale wrote:
> > This is not correct. The CA cert must be valid for the leaf cert to
> > be valid, but the CA cert *can* be renewed without requiring leaf
> > certificates to be
On Tue, May 30, 2017 at 10:46:59AM -0500, Ian Pilcher via FreeIPA-users wrote:
> On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote:
> > On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
> > > I am not saying “instead of”. We are using stan
On Sun, Jun 11, 2017 at 12:46:31AM -, jochem--- via FreeIPA-users wrote:
> Hello all,
> I finally got something working, and found something of a cause.
> I replaced
On Wed, Sep 20, 2017 at 08:50:03AM +1000, Lachlan Musicman via FreeIPA-users
> 2017-09-19T22:30:50Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2017-09-19T22:35:51Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade
On Mon, Oct 09, 2017 at 02:29:09PM +0200, Gabriel Stein via FreeIPA-users wrote:
> Hi all,
> I was discussing a issue with @ftweedal and I will continue doing some
> questions here.
> I have installed Freeipa with an additional Replica Server, but to me some
> concepts are not so clear.
On Mon, Oct 09, 2017 at 02:39:57PM +0200, Gabriel Stein via FreeIPA-users wrote:
> Oh, sorry for the typos... (thanks @callum)
Datadog is a pretty good name though! :)
> Best Regards,
> Gabriel Stein
> Gabriel Ferraz
On Tue, Sep 05, 2017 at 11:16:03AM -0500, Kat via FreeIPA-users wrote:
> Hi all,
> Looking to proxy some applications with a reverse proxy. Want to ingrate
> with IPA to do auth on the front end of the proxy so it passes kerberos
> tickets to the back-end applications. Any suggestions on which
On Wed, Sep 06, 2017 at 02:05:56PM -0400, Anthony Clark via FreeIPA-users wrote:
> It may possibly be related to this, but this is marked as fixed for 4.3:
> I'm on 4.4.0-14.el7.centos.7
> A user had their lastname entry added with the wrong case. I
On Sun, Aug 27, 2017 at 07:13:50AM -0400, Outback Dingo via FreeIPA-users wrote:
> Done configuring directory server (dirsrv).
> Configuring Kerberos KDC (krb5kdc)
> [1/10]: adding kerberos container to the directory
> [2/10]: configuring KDC
> [3/10]: initialize kerberos container
On Wed, Oct 11, 2017 at 12:50:39PM -0400, Mark Haney via FreeIPA-users wrote:
> I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7
> (along with updating C7 to 7.4) and it bombed spectacularly. It seems the
> upgrade process doesn't like the GoDaddy SSL cert we supplied
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote:
> john.bowman--- via FreeIPA-users wrote:
> > Still looking for any ideas on this one so giving it a bump.
> Next time please don't wipe out all the context.
> Fraser, it seems to be having a problem connecting to the security
On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users wrote:
> I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be
> able to add SAN's for a different dns domain than exists in the IPA realm.
> The dns for 'otherdomain.com' is handled by active
On Tue, May 08, 2018 at 05:35:19PM +0100, Roderick Johnstone via FreeIPA-users
> In our current ipa implementation some of the ipa internal certificates are
> not able to be renewed correctly.
> After a lot of support both from Redhat and also through this list, neither
On Thu, May 03, 2018 at 02:25:34PM +, Ross Infinger wrote:
> I assume the issue here is with the command...
> Which returns...
> domain info: standalone="no"?>IPA00
> I notice that all the SubsystemCount values are
On Wed, May 09, 2018 at 03:12:37AM -, Henery Hawk via FreeIPA-users wrote:
> I've followed what I thought were the instructions to install
> Let's Encrypt certs on my recent FreeIPA installation but when I
> restart the services I pki-tomcatd fails to restart.
> During the installs I've
I concur with the answers in Rob's reply. But I have one question.
On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via FreeIPA-users
> 3. How can I export the IPA revocation list so it's compliant with servers
> (CRL format)
What do you mean by "compliant with
The troubleshooting page was getting huge and unwieldy. I have
broken the various sections out into separate pages. Now the main
troubleshooting page is just some high-level info/advice and a list
of links to other topics.
I haven't made
My latest blog post looks at how to clean up and install a *new* CA
within an existing FreeIPA deployment. This handles scenarios were
a CA installation has failed, or the original CA has been lost (e.g.
all CA replicas decommissioned).
Enjoy! As usual, I am keen for whatever feedback or
On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via FreeIPA-users
> Hello all,
> I had an issue a short while ago with a replica which turned out to be an
> expired certificate which I renewed and all seemed good.
> It now appears that although the certificate
On Mon, Apr 30, 2018 at 11:49:09AM -0400, Brian Weaver via FreeIPA-users wrote:
> After a recent power outage the IPA master server I built a few years ago
> is having some issues. I've done as much troubleshooting as I can and I
> think I've tracked down the issue to the certificate database in
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug
log files from both master and replica?
On Thu, Apr 26, 2018 at 05:33:32PM +, Ross Infinger via FreeIPA-users wrote:
> I'm installing the CA service on an existing replica with command
On Mon, Apr 30, 2018 at 03:30:34PM +0200, H. Frenzel via FreeIPA-users wrote:
> I tried to install a CA to the 2nd master a replicafile which was created on
> the 1st master (with self-signed CA), with fails with:
> ipa : DEBUGstderr=TokenException: Failed to import
On Thu, Oct 19, 2017 at 10:40:12AM +, Joel Kåberg via FreeIPA-users wrote:
> I'm trying to sign an CSR which has multiple CN in the certificate
> subject. When the certificate is signed it only contains one CN in
> the subject (should be 2, site1.domain.tld and site2.domain.tld),
On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users
> After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at
> server. Request failed with status 500: Non-2xx response from CA REST API:
> 500." when certmonger tries to renew httpd/dirsrv
get servers, and who can perform particular
privileged operations on target servers. FreeIPA enables this
> Sean Hogan
> From: Fraser Tweedale via FreeIPA-users
On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote:
> I have recently been looking into the password vault for IPA and would
> like to implement however I have not been able to find an answer to a
> compliance question on it yet.
On Wed, Jan 10, 2018 at 01:45:04PM +0100, Giulio Casella wrote:
> Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto:
> > Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto:
> > > Fraser, some more info:
> > >
> > > In
On Wed, Jan 10, 2018 at 04:02:57PM +0100, Giulio Casella wrote:
> Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto:
> > Great! I'm glad you got to the bottom of it. Just curious - were
> > there / are there multiple authority entries in LDAP underneath
> > o
On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users
> Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:
> > "CA replica" just means any IPA master that has the Dogtag CA
> > installed.
> > You have a Dogt
On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users
> Hi Fraser,
> Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto:
> > On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users
> > wrote:
> > >
On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote:
> Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
> > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'),
> > not the FreeIPA DIT. You should check on a CA replica.
On Mon, Jan 15, 2018 at 01:48:34PM +0100, Aljaž Srebrnič via FreeIPA-users
> > On 15 Jan 2018, at 03:42, Fraser Tweedale > > wrote:
> > On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users
> > wrote:
On Mon, Jan 29, 2018 at 01:34:37PM +, Mike Kelly via FreeIPA-users wrote:
> I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right
> way to generate per-user certificates? (Looking to generate certs for
> Android and Chrome OS, so I don't have an easy way to build a
t; > > > > certificate:
> > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> > > > > cert-pki-ca',token='NSS Certificate DB'
> > > > > CA: dogtag-ipa-ca-renew-agent
> > > > > issuer
On Fri, Feb 02, 2018 at 01:35:38PM +0100, Christof Schulze via FreeIPA-users
> Problem solved.
> Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added
> permissions and selinux labels, and went back to Christmas.
> Problem still there, renewal did not
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users
> some certificates on our freeipa-cluster (3 servers) are have been not
> renewed till now, 2 hours before expiring. Can this be a problem?
> Some of the certificates, the ones expiring show
On Tue, Feb 13, 2018 at 08:53:10AM +0800, Umarzuki Mochlis via FreeIPA-users
> Is it possible to apply wildcard SSL on v3.1 to be able to migrate to
> recent free-ipa?
> Reason being that, I need to backdate date to year before self-signed expired.
> I have not been able to renew
On Tue, Feb 20, 2018 at 12:41:17PM -0500, Bret Wortman via FreeIPA-users wrote:
> I'll give that a try.
If you "Clear Recent History" for the domain, ensuring that "Remove
Offline Data" is selected, I think that might do the trick. It's
something like that, anyhow.
Or choose a different CA
Can you please provide the contents of
/var/log/pki/pki-tomcat/ca/debug from both the replica (if it
exists) and the master.
On Thu, Aug 02, 2018 at 05:03:54PM +1200, Aaron Hicks via FreeIPA-users wrote:
> Hello the
On Wed, Aug 08, 2018 at 02:38:39PM +0800, None via FreeIPA-users wrote:
> I tried to install ipa using "yum install -y ipa-server" in CentOS 7.2.
> Since the environement cann not connect to network, i prepared an local yum
> repository using iso file.
> Then i encountered dependency
There was recently discussion about how to issue sub-CA certificates
to external entities in FreeIPA (i.e. not lightweight CAs which are
internal to an IPA deployment). So I blogged a comprehensive HOWTO,
with a discussion of the caveats/limitations.
On Fri, Jul 06, 2018 at 09:21:44PM -0700, Thomas Letherby wrote:
> Hello Fraser,
> The serial numbers appear to match, but if I run ipa-certupdate I get the
> trying https://server1.i.domain.net/ipa/json
> Connection to https://server1.i.domain.net/ipa/json
On Fri, Jul 13, 2018 at 09:13:02AM -, vitenbergd--- via FreeIPA-users wrote:
> Thank you very much, there are tons of valuable info in your blog
> ralated to this topic. Right now we are using 4.4 version of
> FreeIPA and autoconvertion of CN -> SAN DNS was not the exact
> thing i wanted to
On Thu, Jul 12, 2018 at 09:26:09AM -, vitenbergd--- via FreeIPA-users wrote:
> Hello, everyone
> I've got problem similar to:
> So, there is a HP crypto device for which
On Tue, Mar 13, 2018 at 07:41:32PM -0500, Jonathan Vaughn via FreeIPA-users
> Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom
> built things that manage our PKI and so on, to FreeIPA (which looks like it
> can probably cover all our needs), and had a couple of
On Tue, Mar 20, 2018 at 08:22:53AM -0500, Kirk VanOpdorp via FreeIPA-users
> I have an external CA that I need to renew due to the root CA expiring soon
> and they grumbled at the CA subject last time and I suggested I would look
> into changing it. I don't see any route via the
On Tue, Mar 06, 2018 at 10:57:16AM +1000, Fraser Tweedale via FreeIPA-users
> On Mon, Mar 05, 2018 at 04:57:52PM -, John Seekins via FreeIPA-users
> > Manually installing the cert at /etc/ipa/ca.cert and restarting
> > Apache fixes the error, but it seems li
On Mon, Mar 05, 2018 at 04:57:52PM -, John Seekins via FreeIPA-users wrote:
> Manually installing the cert at /etc/ipa/ca.cert and restarting
> Apache fixes the error, but it seems like whenever a cert renewal
> happens, I'll have to manually update it again. Which seems
On Thu, Jun 28, 2018 at 06:01:18PM -0700, Thomas Letherby wrote:
> Hello all,
> Here's the info:
> certutil -d /etc/dirsrv/slapd-I-domain-NET -L
> Certificate Nickname Trust
On Wed, Jun 27, 2018 at 06:22:31PM -0700, Thomas Letherby via FreeIPA-users
> Hello Florence,
> It was the Signing-Cert and the I.domain.NET IPA CA cert. By setting the
> clock back I managed to get those to renew, now it seems I just need to get
> tomcat-pki to start.
> The error
On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users
> Hi all,
> Creating the SSL certs/keys for for example Apache can easily be done
> by using the FreeIPA Dogtag CA-server. With some effort, I put it in an
> Ansible playbook which will install Apache and
On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via FreeIPA-users
> I have a FreeIPA server that is currently running as a CA only, no clients
> connect, no LDAP entries have ever been made, no DNS etc... The original
> ipa CA is how it was setup during the initial
On Thu, Oct 18, 2018 at 10:00:20AM -0400, Ralph Crongeyer via FreeIPA-users
> Hi Fraser,
> Actually my goal would be to have two identical stand alone servers. For
> instance maybe add a server as a replica and then separate them from each
> other, or maybe export the CA's and issued certs
On Fri, Oct 19, 2018 at 09:55:39AM -0400, Ralph Crongeyer via FreeIPA-users
> We are trying to combine services and servers into FreeIPA. We have
> opanldap for ldap, and a stand alone FreeIPA for CA / certs, this stand
> alone has the DNS component installed, which we don't want to use in
(Cc freeipa-users@ for visibility)
On Mon, Oct 22, 2018 at 04:12:05PM -0400, Rob Crittenden wrote:
> I've gotten some upstream feedback on my cert checking tool and one user
> came back with a bunch of errors:
> Error looking up CA entry in IPA aeca4a88-630d-4f47-9585-73bad089260b:
On Fri, Oct 26, 2018 at 02:33:30PM +0200, Louis Lagendijk via FreeIPA-users
> On Tue, 2018-10-23 at 11:23 +1000, Fraser Tweedale via FreeIPA-users
> > Hi Rob,
> > (Cc freeipa-users@ for visibility)
> > On Mon, Oct 22, 2018 at 04
On Wed, Oct 31, 2018 at 11:58:57AM -0400, Rob Crittenden via FreeIPA-users
> Henrik Johansson via FreeIPA-users wrote:
> >> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users
> >> >> > wrote:
> >> It would create CSR
On Wed, Nov 07, 2018 at 01:04:05PM -0500, Rob Crittenden via FreeIPA-users
> William Muriithi via FreeIPA-users wrote:
> > Morning Rob
> >>> What's the process for either removing or making it known?
> >> I'll add something to the program about this too but for now you can run:
On Wed, Nov 07, 2018 at 01:05:24PM -0500, Rob Crittenden via FreeIPA-users
> Peter Oliver via FreeIPA-users wrote:
> > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]:
> > CertUserDBAuthentication: cannot map certificate to any userUser not found
On Wed, Nov 07, 2018 at 06:27:51PM -, Zarko D via FreeIPA-users wrote:
> Okay, we know cert has expired, but I am configuring basic auth for PKI, so
> why is this relevant now?
The basic/cert auth is related to how Dogtag authenticates to the
The self-test checks the
On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote:
> Hello all,
> I have to clean up lot of useless certificate in dirsrv database.
> Because of resubmit loop on Certmonger client, i have 99,9% of certificate in
> dirsrv database that are useless and not
(Cc some other engineers for Dogtag cloning troubleshooting
Thanks for the additional logs. Can we please see [temporally
relevant snippets of] any other log files under
/var/log/pki/pki-tomcat and /var/log/pki/pki-tomcat/ca , as well as
the journal (`journalctl -u
On Thu, Nov 08, 2018 at 06:03:27AM -, Zarko D via FreeIPA-users wrote:
> Thank you Fraser for the support.
> 'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no
> problem here.
> But I am afraid I can't find common date for remaining four certs. As per
> bellow data:
On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users
> Natxo Asenjo via FreeIPA-users wrote:
> > hi,
> > I am testing smartcard authentication with a yubikey neo like described
> > in
On Thu, Nov 08, 2018 at 11:39:41AM +, Peter Oliver wrote:
> On Thu, 8 Nov 2018, 01:41 Fraser Tweedale
> > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> > Do the 'userCertificate', 'description' and 'seeAlso' attributes
> > match the IPA RA certificate
On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote:
> On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
> > This is not timestamped, but I guess it is the thing. Weird, I don't
> > remember my provisioning does anything JRE-related, but I will do some
> > digging
On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote:
> On Tue, 13 Nov 2018, Fraser Tweedale wrote:
> > Can you please clarify, what is the procedure to rebuild the master
> > via replication?
> Honestly, no, as there isn't any clearly documented way to do this ;)
On Mon, Nov 12, 2018 at 03:55:13PM -0500, Rob Foehl via FreeIPA-users wrote:
> If I have a pair of IPA servers and need to reinstall the one currently
> holding the CA master, is it actually necessary to promote the other one, or
> can I just follow the procedure to rebuild the current master via
1 - 100 of 119 matches
Mail list logo