[Freeipa-users] Re: IPA replica with CA role problems

2017-08-02 Thread Fraser Tweedale via FreeIPA-users
On Thu, Aug 03, 2017 at 06:09:22AM +1000, Fraser Tweedale wrote: > On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > > > Providing the dogtag debug log

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-02 Thread Fraser Tweedale via FreeIPA-users
On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > Providing the dogtag debug log might be helpful. The replica install log > > > shows that the GoDaddy CA

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-02 Thread Fraser Tweedale via FreeIPA-users
On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: > > Hi, > > I'm playing around with keycloak and wanted to use an SSL certificate > from IPA. I've looked around but didn't see any howto about using java > keytool with ipa-getcert. Has someone experience with it? >

[Freeipa-users] Re: Can't create new CA replica

2017-08-02 Thread Fraser Tweedale via FreeIPA-users
On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Since taking over our FreeIPA environment I've been unable to create a new > > CA replica. A bunch of failed attempts and upgrades over the last year and > > I keep running in to

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-02 Thread Fraser Tweedale via FreeIPA-users
On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > Mark Haney via FreeIPA-users wrote: > > On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: > >> > >> you can connect to IPA web UI on the server to revoke the cert: > >> https://server.ipadomain.com/ipa/ui, then navigate to

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-11 Thread Fraser Tweedale via FreeIPA-users
On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by > an external root CA. Problem: > > Even though I have imported the root CA and clicked on all the trust > checkboxes, chromium

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-13 Thread Fraser Tweedale via FreeIPA-users
On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote: > On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote: > > Hi Fraser, > > > > On Fri, 11 Aug 2017 18:48:29 +1000 > > Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

[Freeipa-users] Re: Renewal of External Third Party SSL Cert

2017-08-16 Thread Fraser Tweedale via FreeIPA-users
On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote: > Hi Fraser, > > Thanks for the reply. > > However I have both my IPA CA and third party CA, where IPA CA is self > signed and third party CA Signed by DigiCert. So if my SSL certificate is > going to expire next

[Freeipa-users] Re: Renewal of External Third Party SSL Cert

2017-08-16 Thread Fraser Tweedale via FreeIPA-users
On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote: > Hello, > > I am using the embedded CA For FreeIPA as well as external CA Signed by > Digicert. However, the certificate will be expiring next month. > > After renewal, do I need to install the certificate again

[Freeipa-users] Re: Replication and SSL certs

2017-07-13 Thread Fraser Tweedale via FreeIPA-users
On Thu, Jul 13, 2017 at 09:57:04AM -0400, Mark Haney via FreeIPA-users wrote: > On 07/12/2017 08:34 PM, Fraser Tweedale wrote: > > > > Which version(s) of FreeIPA? > ipa-server-4.4.0-14.el7.centos.7.x86_64 > > > > Which service(s) (HTTP, LDAP?). > HTTPS. I haven't checked LDAPS yet. It appears

[Freeipa-users] Re: Update signing certificate

2017-07-13 Thread Fraser Tweedale via FreeIPA-users
On Thu, Jul 13, 2017 at 08:20:02AM -0400, Jeff Fouchard via FreeIPA-users wrote: > The certificates are being issued via ipa-getcert. The certificates we get > back are signed with what looks to be the old "self-signed" IPA CA > certificate. The CN is the same as the new one, but the serial /

[Freeipa-users] Re: can't upgrade IPA because of certificate alias problem

2017-07-13 Thread Fraser Tweedale via FreeIPA-users
On Thu, Jul 13, 2017 at 03:02:02PM +, Charles Hedrick via FreeIPA-users wrote: > I’ve installed ipa. Originally I did the default install, without DNS. > > I then updated to a commercial cert. Notes at the end. > > I just did a yum update. isa-upgrade failed with the following error: > >

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-07-17 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jul 17, 2017 at 08:41:26AM -0400, Prasun Gera wrote: > Bumping this for help. I need to renew my replica's SSL certificate which > will expire in a month, but I can't find any instructions. It looks like > the replica's web-ui cert isn't tracked by the master or the replica. I'm > using a

[Freeipa-users] Re: Modify default dirsrv/LDAP certificate (add SAN)

2017-07-09 Thread Fraser Tweedale via FreeIPA-users
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote: > Hi, > > I am using FreeIPAv4, some of clients products does not support LDAP failover > so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream > fail-over. > I have two FreeIPA server

[Freeipa-users] Re: still unable to renew certificates - deep trouble

2017-07-12 Thread Fraser Tweedale via FreeIPA-users
On Thu, Jul 13, 2017 at 10:57:59AM +1000, Fraser Tweedale wrote: > On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote: > > Hello, > > > > I'm getting desperate, I'm still unable to fix my expired certificates on > > my freeIPA master. > > > > Summary: > > > >- I

[Freeipa-users] Re: can not restart httpd service after certificate renewal

2017-07-12 Thread Fraser Tweedale via FreeIPA-users
Yes. Yikes. Karl, I already replied to your earlier thread, but `ipa-cacert-renew` was not the right command to run. On Wed, Jul 12, 2017 at 09:38:44AM +, Callum Guy via FreeIPA-users wrote: > Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like > you have renewed the

[Freeipa-users] Re: Replication and SSL certs

2017-07-12 Thread Fraser Tweedale via FreeIPA-users
On Wed, Jul 12, 2017 at 01:20:36PM -0400, Mark Haney via FreeIPA-users wrote: > I'm really new to FreeIPA, and this is probably a stupid question, but I > just setup a replica of the primary (not in production) IPA server we have. > However, the replica's SSL cert is untrusted, while the primary

[Freeipa-users] Re: still unable to renew certificates - deep trouble

2017-07-12 Thread Fraser Tweedale via FreeIPA-users
On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote: > Hello, > > I'm getting desperate, I'm still unable to fix my expired certificates on > my freeIPA master. > > Summary: > >- I discovered that my web ui SSL certificate had expired. >- the certificate

[Freeipa-users] Re: can not restart httpd service after certificate renewal

2017-07-13 Thread Fraser Tweedale via FreeIPA-users
On Thu, Jul 13, 2017 at 10:55:39AM +0200, Karl Forner wrote: > Hi, > > > > To recover from this situation you should reinstall the old CA > > certificate via ipa-cacert-manage. If you can't find a copy of that > > lying around you should (for a self-signed IPA CA) be able to > > retrieve it

[Freeipa-users] Re: Replication and SSL certs

2017-07-17 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jul 17, 2017 at 10:18:40AM -0400, Mark Haney wrote: > On 07/17/2017 09:27 AM, Fraser Tweedale wrote: > > > > https://tools.ietf.org/html/rfc6125#section-7.2 > > > > This document states that the wildcard character '*' SHOULD NOT > > be included in presented identifiers but MAY

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-07-17 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jul 17, 2017 at 02:06:36PM -0400, Prasun Gera wrote: > Hi Fraser, > I ran that command on the replica (which is where it needs to be run, right > ? ), and it finished without any error. However, when I called ipa-getcert > list, it shows an error: > > Request ID '20170717180008': >

[Freeipa-users] Re: Replication and SSL certs

2017-07-16 Thread Fraser Tweedale via FreeIPA-users
On Fri, Jul 14, 2017 at 07:47:39AM -0400, Mark Haney via FreeIPA-users wrote: > On 07/13/2017 09:57 PM, Fraser Tweedale wrote: > > OK, I think I understand. > > > > ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been > > set up with a certificate issued by the IPA CA, which your

[Freeipa-users] Re: IPA replica with CA role problems

2017-07-24 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users wrote: > Prior to my employment, one of our engineers setup an IPA server to replace > the horrific OpenLDAP server. One of my first tasks was to build a second > IPA server and setup replication. Initially, the replication

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-07-19 Thread Fraser Tweedale via FreeIPA-users
On Wed, Jul 19, 2017 at 05:31:20AM -0400, Prasun Gera wrote: > Thank you, Fraser. That works. I also added the post-script command > "/usr/libexec/ipa/certmonger/restart_httpd". Upon comparing with the > master, there are quite a few certs that are tracked on the master, and > none on the replica.

[Freeipa-users] Re: Removal of obsolete certificates from o=ipaca

2017-07-30 Thread Fraser Tweedale via FreeIPA-users
On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote: > Hello all, > > we are currently facing issue with huge number of outdated certificate entries > in o=ipaca LDAP subtree (many servers no longer exists, certificates already > expired etc) > and we would like to remove

[Freeipa-users] Re: expired certificates - pki-tomcat not running

2017-08-08 Thread Fraser Tweedale via FreeIPA-users
On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote: > Michael Gusek via FreeIPA-users wrote: > > Hi Fraser, > > > > at the moment, i can't provide this logfile, i've moved that back to > > have only new log lines. But a new new logfile is not created ??? In my > > old logfile i have

[Freeipa-users] Re: expired certificates - pki-tomcat not running

2017-08-08 Thread Fraser Tweedale via FreeIPA-users
On Tue, Aug 08, 2017 at 01:52:40PM +0200, Michael Gusek via FreeIPA-users wrote: > Hello, > > we run in a problem with expired certificates: > > > getcert list (sample show only one expired certificate) > ... > Request ID '20170202144747': > status: MONITORING > stuck: no > key pair

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-03 Thread Fraser Tweedale via FreeIPA-users
On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote: > On 08/02/2017 04:17 PM, Fraser Tweedale wrote: > > > > > - /var/log/ipareplica-install.log from replica > > > - /etc/pki/pki-tomcat/ca/debug from both master and replica > > > > > > Those logs should do for a start. > > > > > > I'd

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Fraser Tweedale via FreeIPA-users
On Fri, Aug 18, 2017 at 05:28:12PM +1000, Fraser Tweedale wrote: > Hi Stefan et al, > > It's hard to work out exactly what's going on. > > First make sure that all certificates including the IPA CA > certificate are within their validity period. Make sure that CA > certificate(s) have the

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Fraser Tweedale via FreeIPA-users
Hi Stefan et al, It's hard to work out exactly what's going on. First make sure that all certificates including the IPA CA certificate are within their validity period. Make sure that CA certificate(s) have the correct trust flags in the /etc/httpd/alias NSSDB: certutil -d /etc/httpd/alias

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users
On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote: > I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed > with --external-ca, and the resulting CSR signed with a validity period of > 30 days to test behavior around expirations. > > Upon booting

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Fraser Tweedale via FreeIPA-users
On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote: > > Hi there, > > our IPA servers' https port is exposed to internet. I wanted to restrict > > access to Web UI by requesting a user certificate

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users
On Thu, May 25, 2017 at 01:39:46PM +0200, Günther J. Niederwimmer via FreeIPA-users wrote: > Hello, > > after the mistake with Startcom CA (Class 3), now I look for a new > Certificate.. > > Is it possible and functional to install a Letsencrypt CA on a IPA-Server? > > I have found a script

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users
On Thu, May 25, 2017 at 10:59:11AM -0400, Rob Foehl via FreeIPA-users wrote: > On Thu, 25 May 2017, Fraser Tweedale wrote: > > > This is not correct. The CA cert must be valid for the leaf cert to > > be valid, but the CA cert *can* be renewed without requiring leaf > > certificates to be

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-30 Thread Fraser Tweedale via FreeIPA-users
On Tue, May 30, 2017 at 10:46:59AM -0500, Ian Pilcher via FreeIPA-users wrote: > On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: > > On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > > > I am not saying “instead of”. We are using stan

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Fraser Tweedale via FreeIPA-users
On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > I am not saying “instead of”. We are using standard authetication provided by > FreeIPA, but I want to protect Web UI interface from unwanted attention as it > is, unfortunately, exposed to entire internet. I’d be much happier if

[Freeipa-users] Re: String index out of range: -36

2017-06-11 Thread Fraser Tweedale via FreeIPA-users
On Sun, Jun 11, 2017 at 12:46:31AM -, jochem--- via FreeIPA-users wrote: > Hello all, > > I finally got something working, and found something of a cause. > > I replaced > policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, > $SUBJECT_DN_O > with >

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

2017-09-19 Thread Fraser Tweedale via FreeIPA-users
On Wed, Sep 20, 2017 at 08:50:03AM +1000, Lachlan Musicman via FreeIPA-users wrote: > 2017-09-19T22:30:50Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-09-19T22:35:51Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade

[Freeipa-users] Re: Freeipa and Datadog

2017-10-09 Thread Fraser Tweedale via FreeIPA-users
On Mon, Oct 09, 2017 at 02:29:09PM +0200, Gabriel Stein via FreeIPA-users wrote: > Hi all, > > I was discussing a issue with @ftweedal and I will continue doing some > questions here. > > I have installed Freeipa with an additional Replica Server, but to me some > concepts are not so clear. > >

[Freeipa-users] Re: Freeipa and Datadog

2017-10-09 Thread Fraser Tweedale via FreeIPA-users
On Mon, Oct 09, 2017 at 02:39:57PM +0200, Gabriel Stein via FreeIPA-users wrote: > Oh, sorry for the typos... (thanks @callum) > > '/s/Datadog/Dogtag/g' > Datadog is a pretty good name though! :) > Best Regards, > > Gabriel > > Gabriel Stein > -- > Gabriel Ferraz

[Freeipa-users] Re: Which one?

2017-09-05 Thread Fraser Tweedale via FreeIPA-users
On Tue, Sep 05, 2017 at 11:16:03AM -0500, Kat via FreeIPA-users wrote: > Hi all, > > Looking to proxy some applications with a reverse proxy. Want to ingrate > with IPA to do auth on the front end of the proxy so it passes kerberos > tickets to the back-end applications. Any suggestions on which

[Freeipa-users] Re: Changing case of user attributes fails

2017-09-06 Thread Fraser Tweedale via FreeIPA-users
On Wed, Sep 06, 2017 at 02:05:56PM -0400, Anthony Clark via FreeIPA-users wrote: > It may possibly be related to this, but this is marked as fixed for 4.3: > https://pagure.io/freeipa/issue/5456 > > I'm on 4.4.0-14.el7.centos.7 > > A user had their lastname entry added with the wrong case. I

[Freeipa-users] Re: AWS FreeIPA install killed ?

2017-08-27 Thread Fraser Tweedale via FreeIPA-users
On Sun, Aug 27, 2017 at 07:13:50AM -0400, Outback Dingo via FreeIPA-users wrote: > Done configuring directory server (dirsrv). > Configuring Kerberos KDC (krb5kdc) > [1/10]: adding kerberos container to the directory > [2/10]: configuring KDC > [3/10]: initialize kerberos container > [4/10]:

[Freeipa-users] Re: Upgrading with GoDaddy SSL cert for https only

2017-10-11 Thread Fraser Tweedale via FreeIPA-users
On Wed, Oct 11, 2017 at 12:50:39PM -0400, Mark Haney via FreeIPA-users wrote: > I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7 > (along with updating C7 to 7.4) and it bombed spectacularly.  It seems the > upgrade process doesn't like the GoDaddy SSL cert we supplied

[Freeipa-users] Re: Can't create new CA replica

2017-11-16 Thread Fraser Tweedale via FreeIPA-users
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Still looking for any ideas on this one so giving it a bump. > > Next time please don't wipe out all the context. > > Fraser, it seems to be having a problem connecting to the security

[Freeipa-users] Re: IPA CA allow CSR SAN names in external domains

2017-10-20 Thread Fraser Tweedale via FreeIPA-users
On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users wrote: > Hello > > I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be > able to add SAN's for a different dns domain than exists in the IPA realm. > The dns for 'otherdomain.com' is handled by active

[Freeipa-users] Re: Unable to sign CSR with multiple CN in subject

2017-10-19 Thread Fraser Tweedale via FreeIPA-users
On Thu, Oct 19, 2017 at 10:40:12AM +, Joel Kåberg via FreeIPA-users wrote: > Hello > > I'm trying to sign an CSR which has multiple CN in the certificate > subject. When the certificate is signed it only contains one CN in > the subject (should be 2, site1.domain.tld and site2.domain.tld), >

[Freeipa-users] Re: Expired certificate problem

2018-01-08 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote: > After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at > server. Request failed with status 500: Non-2xx response from CA REST API: > 500." when certmonger tries to renew httpd/dirsrv

[Freeipa-users] Re: IPA Password Vault

2018-01-08 Thread Fraser Tweedale via FreeIPA-users
get servers, and who can perform particular privileged operations on target servers. FreeIPA enables this approach. Cheers, Fraser > > Sean Hogan > > > > > > > > From: Fraser Tweedale via FreeIPA-users > <freeipa-users@lists.fedorahosted.org&g

[Freeipa-users] Re: IPA Password Vault

2018-01-08 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote: > > > Hello, > > I have recently been looking into the password vault for IPA and would > like to implement however I have not been able to find an answer to a > compliance question on it yet. > > >Does the

[Freeipa-users] Re: Expired certificate problem

2018-01-10 Thread Fraser Tweedale via FreeIPA-users
On Wed, Jan 10, 2018 at 01:45:04PM +0100, Giulio Casella wrote: > Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto: > > Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto: > > > Fraser, some more info: > > > > > > In

[Freeipa-users] Re: Expired certificate problem

2018-01-10 Thread Fraser Tweedale via FreeIPA-users
On Wed, Jan 10, 2018 at 04:02:57PM +0100, Giulio Casella wrote: > Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto: > > Great! I'm glad you got to the bottom of it. Just curious - were > > there / are there multiple authority entries in LDAP underneath > > o

[Freeipa-users] Re: Expired certificate problem

2018-01-09 Thread Fraser Tweedale via FreeIPA-users
On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote: > Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto: > > "CA replica" just means any IPA master that has the Dogtag CA > > installed. > > > > You have a Dogt

[Freeipa-users] Re: Expired certificate problem

2018-01-09 Thread Fraser Tweedale via FreeIPA-users
On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users wrote: > Hi Fraser, > > Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto: > > On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users > > wrote: > > >

[Freeipa-users] Re: Expired certificate problem

2018-01-09 Thread Fraser Tweedale via FreeIPA-users
On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote: > Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto: > > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), > > not the FreeIPA DIT. You should check on a CA replica. > &g

[Freeipa-users] Re: Problems with KeyRetrieverClass when setting up replica with CA

2018-01-15 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jan 15, 2018 at 01:48:34PM +0100, Aljaž Srebrnič via FreeIPA-users wrote: > > On 15 Jan 2018, at 03:42, Fraser Tweedale > > wrote: > > > > On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users > > wrote: > >>

[Freeipa-users] Re: Problems with KeyRetrieverClass when setting up replica with CA

2018-01-14 Thread Fraser Tweedale via FreeIPA-users
On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users wrote: > Hello! > Yesterday I tried migrating a physical machine (ipa1) that was a FreeIPA CA > CRL master in my VM cluster. I followed the guide at [1] to migrate che CRL > master to another replica (ipa2) and

[Freeipa-users] Re: FreeIPA PKI with OpenVPN

2018-01-29 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jan 29, 2018 at 01:34:37PM +, Mike Kelly via FreeIPA-users wrote: > Hi, > > I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right > way to generate per-user certificates? (Looking to generate certs for > Android and Chrome OS, so I don't have an easy way to build a

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

2018-01-30 Thread Fraser Tweedale via FreeIPA-users
t; > > > >      certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > > > cert-pki-ca',token='NSS Certificate DB' > > > > >  CA: dogtag-ipa-ca-renew-agent > > > > >  issuer

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

2018-02-04 Thread Fraser Tweedale via FreeIPA-users
On Fri, Feb 02, 2018 at 01:35:38PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > Problem solved. > > Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added > permissions and selinux labels, and went back to Christmas. > > Problem still there, renewal did not

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

2018-01-29 Thread Fraser Tweedale via FreeIPA-users
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > some certificates on our freeipa-cluster (3 servers) are have been not > renewed till now, 2 hours before expiring. Can this be a problem? > > Some of the certificates, the ones expiring show

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

2018-02-12 Thread Fraser Tweedale via FreeIPA-users
On Tue, Feb 13, 2018 at 08:53:10AM +0800, Umarzuki Mochlis via FreeIPA-users wrote: > Hi, > > Is it possible to apply wildcard SSL on v3.1 to be able to migrate to > recent free-ipa? > Reason being that, I need to backdate date to year before self-signed expired. > I have not been able to renew

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

2018-02-20 Thread Fraser Tweedale via FreeIPA-users
On Tue, Feb 20, 2018 at 12:41:17PM -0500, Bret Wortman via FreeIPA-users wrote: > I'll give that a try. > If you "Clear Recent History" for the domain, ensuring that "Remove Offline Data" is selected, I think that might do the trick. It's something like that, anyhow. Or choose a different CA

[Freeipa-users] Re: Questions about SSL certificates

2018-03-13 Thread Fraser Tweedale via FreeIPA-users
On Tue, Mar 13, 2018 at 07:41:32PM -0500, Jonathan Vaughn via FreeIPA-users wrote: > Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom > built things that manage our PKI and so on, to FreeIPA (which looks like it > can probably cover all our needs), and had a couple of

[Freeipa-users] Re: Changing CA certificate subject name post-install

2018-03-20 Thread Fraser Tweedale via FreeIPA-users
On Tue, Mar 20, 2018 at 08:22:53AM -0500, Kirk VanOpdorp via FreeIPA-users wrote: > I have an external CA that I need to renew due to the root CA expiring soon > and they grumbled at the CA subject last time and I suggested I would look > into changing it. I don't see any route via the

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

2018-03-05 Thread Fraser Tweedale via FreeIPA-users
On Tue, Mar 06, 2018 at 10:57:16AM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Mon, Mar 05, 2018 at 04:57:52PM -, John Seekins via FreeIPA-users > wrote: > > Manually installing the cert at /etc/ipa/ca.cert and restarting > > Apache fixes the error, but it seems li

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

2018-03-05 Thread Fraser Tweedale via FreeIPA-users
On Mon, Mar 05, 2018 at 04:57:52PM -, John Seekins via FreeIPA-users wrote: > Manually installing the cert at /etc/ipa/ca.cert and restarting > Apache fixes the error, but it seems like whenever a cert renewal > happens, I'll have to manually update it again. Which seems > brittle. The

[Freeipa-users] Re: Potentially Corrupted Tomcat PKI database, recovery steps?

2018-05-01 Thread Fraser Tweedale via FreeIPA-users
On Mon, Apr 30, 2018 at 11:49:09AM -0400, Brian Weaver via FreeIPA-users wrote: > After a recent power outage the IPA master server I built a few years ago > is having some issues. I've done as much troubleshooting as I can and I > think I've tracked down the issue to the certificate database in >

[Freeipa-users] Re: CA install on replica fails - Clone URI does not match...

2018-04-26 Thread Fraser Tweedale via FreeIPA-users
Hi Ross, Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica? Thanks, Fraser On Thu, Apr 26, 2018 at 05:33:32PM +, Ross Infinger via FreeIPA-users wrote: > I'm installing the CA service on an existing replica with command >

[Freeipa-users] Re: Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token

2018-05-01 Thread Fraser Tweedale via FreeIPA-users
On Mon, Apr 30, 2018 at 03:30:34PM +0200, H. Frenzel via FreeIPA-users wrote: > Hi, > > I tried to install a CA to the 2nd master a replicafile which was created on > the 1st master (with self-signed CA), with fails with: > > ipa : DEBUGstderr=TokenException: Failed to import >

[Freeipa-users] Re: Seeking advice on testing ipa internal certificate renewal

2018-05-08 Thread Fraser Tweedale via FreeIPA-users
On Tue, May 08, 2018 at 05:35:19PM +0100, Roderick Johnstone via FreeIPA-users wrote: > Hi > > In our current ipa implementation some of the ipa internal certificates are > not able to be renewed correctly. > > After a lot of support both from Redhat and also through this list, neither > of

[Freeipa-users] Re: CA install on replica fails - Clone URI does not match...

2018-05-09 Thread Fraser Tweedale via FreeIPA-users
On Thu, May 03, 2018 at 02:25:34PM +, Ross Infinger wrote: > I assume the issue here is with the command... > https://pci-mgmt-ipa01.pci.xx.com:443/ca/admin/ca/getDomainXML > > Which returns... > domain info: standalone="no"?>IPA00 > > I notice that all the SubsystemCount values are

[Freeipa-users] Re: After using 3rd party certs (Let's Encrypt) : pki-tomcatd fails to restart

2018-05-08 Thread Fraser Tweedale via FreeIPA-users
On Wed, May 09, 2018 at 03:12:37AM -, Henery Hawk via FreeIPA-users wrote: > I've followed what I thought were the instructions to install > Let's Encrypt certs on my recent FreeIPA installation but when I > restart the services I pki-tomcatd fails to restart. > > During the installs I've

[Freeipa-users] Re: PKI with IPA

2018-05-17 Thread Fraser Tweedale via FreeIPA-users
Hi Maciej, I concur with the answers in Rob's reply. But I have one question. On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via FreeIPA-users wrote: > 3. How can I export the IPA revocation list so it's compliant with servers > (CRL format) > What do you mean by "compliant with

[Freeipa-users] FreeIPA wiki troubleshooting page re-org

2018-05-31 Thread Fraser Tweedale via FreeIPA-users
Hi all, The troubleshooting page was getting huge and unwieldy. I have broken the various sections out into separate pages. Now the main troubleshooting page is just some high-level info/advice and a list of links to other topics. https://www.freeipa.org/page/Troubleshooting I haven't made

[Freeipa-users] [BLOG] Replacing a lost or broken CA in FreeIPA

2018-05-31 Thread Fraser Tweedale via FreeIPA-users
My latest blog post looks at how to clean up and install a *new* CA within an existing FreeIPA deployment. This handles scenarios were a CA installation has failed, or the original CA has been lost (e.g. all CA replicas decommissioned). Enjoy! As usual, I am keen for whatever feedback or