[Freeipa-users] Re: SSL Private Key Recovery

profile) to issue short-lived certificates, thus avoid the need to revoke (or if you revoke, limiting the time the certificate appears in a CRL). Cheers, Fraser > > Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24: > > On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden

[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA

On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via FreeIPA-users wrote: > Hello, > I have a FreeIPA server that is currently running as a CA only, no clients > connect, no LDAP entries have ever been made, no DNS etc... The original > ipa CA is how it was setup during the initial instal

[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA

On Thu, Oct 18, 2018 at 10:00:20AM -0400, Ralph Crongeyer via FreeIPA-users wrote: > Hi Fraser, > Actually my goal would be to have two identical stand alone servers. For > instance maybe add a server as a replica and then separate them from each > other, or maybe export the CA's and issued certs

[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA

On Fri, Oct 19, 2018 at 09:55:39AM -0400, Ralph Crongeyer via FreeIPA-users wrote: > We are trying to combine services and servers into FreeIPA. We have > opanldap for ldap, and a stand alone FreeIPA for CA / certs, this stand > alone has the DNS component installed, which we don't want to use in

[Freeipa-users] IPA sub-CAs; cleaning up spurious Dogtag LWCA entries

Hi Rob, (Cc freeipa-users@ for visibility) On Mon, Oct 22, 2018 at 04:12:05PM -0400, Rob Crittenden wrote: > I've gotten some upstream feedback on my cert checking tool and one user > came back with a bunch of errors: > > Error looking up CA entry in IPA aeca4a88-630d-4f47-9585-73bad089260b: > n

[Freeipa-users] Re: IPA sub-CAs; cleaning up spurious Dogtag LWCA entries

On Fri, Oct 26, 2018 at 02:33:30PM +0200, Louis Lagendijk via FreeIPA-users wrote: > On Tue, 2018-10-23 at 11:23 +1000, Fraser Tweedale via FreeIPA-users > wrote: > > Hi Rob, > > > > (Cc freeipa-users@ for visibility) > > > > On Mon, Oct 22, 2018 at 04

[Freeipa-users] Re: Deployment without CA

On Wed, Oct 31, 2018 at 11:58:57AM -0400, Rob Crittenden via FreeIPA-users wrote: > Henrik Johansson via FreeIPA-users wrote: > > > > > >> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users > >> >> > wrote: > >> > >> It would create CSR fo

[Freeipa-users] Re: Replica install on RPI3

Dogtag CA is a massive enterprise Java program. Can't do much about it. Run a CA-less deployment, or run a CA-ful deployment with RaspberryPi replicas having no CA, and CA replicas running on machines with more memory and more grunt. Cheers, Fraser On Sun, Nov 04, 2018 at 04:04:27PM +0100, Winf

[Freeipa-users] Re: FreeIPA - it it the right solution for me?

On Fri, Nov 02, 2018 at 02:02:03PM -, 74cmonty via FreeIPA-users wrote: > Hi, > I consider to deploy FreeIPA in my home network. > In this network I run several servers and workstations with both Linux and > Windows. > In addition I have setup some Webservices running in containers (LXC). > I

[Freeipa-users] Re: Contribute to a HowTO

On Fri, Nov 02, 2018 at 12:50:46PM -, Peter Tselios via FreeIPA-users wrote: > OK, it might be stupid, but how do I add a new page in the Wiki. I > cannot find any "Create/Add/Edit" (or anything similar) link on > the pages! > You have to log in before those links appear. Cheers, Fraser _

[Freeipa-users] Re: Issues installing replica

On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users wrote: > Might this be related to: > > https://pagure.io/freeipa/issue/7654 > > Maybe? > Possibly. Need the HTTP access log, the Dogtag access log (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag debug log

[Freeipa-users] Re: Issues installing replica

On Tue, Nov 06, 2018 at 10:29:00AM +0100, Alex Corcoles via FreeIPA-users wrote: > OK, will to that this afternoon. > > Is creating a new replica reusing an old replica's name a supported thing? > My replica is automatically provisioned, so it's appealing to me to rebuild > it if there's any probl

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

On Wed, Nov 07, 2018 at 06:27:51PM -, Zarko D via FreeIPA-users wrote: > Okay, we know cert has expired, but I am configuring basic auth for PKI, so > why is this relevant now? > The basic/cert auth is related to how Dogtag authenticates to the the database. The self-test checks the validity

[Freeipa-users] Re: Removal & clean up certificates from o=ipaca

On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote: > Hello all, > Hi David, > I have to clean up lot of useless certificate in dirsrv database. > Because of resubmit loop on Certmonger client, i have 99,9% of certificate in > dirsrv database that are useless and not

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

On Wed, Nov 07, 2018 at 01:05:24PM -0500, Rob Crittenden via FreeIPA-users wrote: > Peter Oliver via FreeIPA-users wrote: > > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: > > CertUserDBAuthentication: cannot map certificate to any userUser not found > > [02/Nov/2018:14:54:37][ajp-bio-1

[Freeipa-users] Re: Testing requested - certificate checking tool

On Wed, Nov 07, 2018 at 01:04:05PM -0500, Rob Crittenden via FreeIPA-users wrote: > William Muriithi via FreeIPA-users wrote: > > Morning Rob > >>> What's the process for either removing or making it known? > >> > >> I'll add something to the program about this too but for now you can run: > >> >

[Freeipa-users] Re: Issues installing replica

Hi Alex, (Cc some other engineers for Dogtag cloning troubleshooting exposure). Thanks for the additional logs. Can we please see [temporally relevant snippets of] any other log files under /var/log/pki/pki-tomcat and /var/log/pki/pki-tomcat/ca , as well as the journal (`journalctl -u pki-tomcat

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

On Thu, Nov 08, 2018 at 06:03:27AM -, Zarko D via FreeIPA-users wrote: > Thank you Fraser for the support. > 'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no > problem here. > But I am afraid I can't find common date for remaining four certs. As per > bellow data: >

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

On Thu, Nov 08, 2018 at 11:39:41AM +, Peter Oliver wrote: > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > Do the 'userCertificate', 'description' and 'seeAlso' attributes > > match the IPA RA certificate (/var/lib/ipa/ra-a

[Freeipa-users] Re: yubikey csr not working

On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users wrote: > Natxo Asenjo via FreeIPA-users wrote: > > hi, > > > > I am testing smartcard authentication with a yubikey neo like described > > in > > https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-log

[Freeipa-users] Re: Issues installing replica

On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote: > On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote: > > > This is not timestamped, but I guess it is the thing. Weird, I don't > > remember my provisioning does anything JRE-related, but I will do some > > digging

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

On Fri, Nov 09, 2018 at 01:43:37PM +, Peter Oliver via FreeIPA-users wrote: > On Thu, 8 Nov 2018, 22:29 Fraser Tweedale > > > > > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > > > > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > > > Do the 'userCertificate', 'de

[Freeipa-users] Re: CA master reinstall via replication

On Mon, Nov 12, 2018 at 03:55:13PM -0500, Rob Foehl via FreeIPA-users wrote: > If I have a pair of IPA servers and need to reinstall the one currently > holding the CA master, is it actually necessary to promote the other one, or > can I just follow the procedure to rebuild the current master via >

[Freeipa-users] Re: CA master reinstall via replication

On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote: > On Tue, 13 Nov 2018, Fraser Tweedale wrote: > > > Can you please clarify, what is the procedure to rebuild the master > > via replication? > > Honestly, no, as there isn't any clearly documented way to do this ;) > > https://www.freeip

[Freeipa-users] Re: OCSP responses for an external CA

Hi Andrew, Responses inline. On Wed, Nov 28, 2018 at 05:35:11PM -0800, Andrew C Dingman via FreeIPA-users wrote: > Hi, all > > I'm not sure the following is feasible, but IHAC who may want to use > IPA in an air-gapped network while relying on smart card authentication > using certificates from

[Freeipa-users] Re: yubikey csr not working

On Fri, Nov 09, 2018 at 07:42:36AM +0100, Natxo Asenjo via FreeIPA-users wrote: > On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale wrote: > > > > > Naxto, could you please provide Dogtag debug log from > > /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in > > the journal at the ti

[Freeipa-users] Re: Host vs. service certificates

On Mon, Dec 03, 2018 at 06:23:04PM -0500, Rob Foehl via FreeIPA-users wrote: > Are there any practical differences between IPA-issued certificates for > hosts and services (ipa-getcert -K service/hostname for the latter), if > they're only being used to identify the host in a non-Kerberos-aware TLS

[Freeipa-users] Re: Host vs. service certificates

On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote: > On Tue, 4 Dec 2018, Fraser Tweedale wrote: > > > No significant differences for most use cases. If using only host > > principals works for you, go ahead. > > Probably should've tried it first... A request like this:

[Freeipa-users] Re: Certificate Issue on IPA server

Hi Christopher, I agree with Rob that replication issue is the most likely cause. If there were replication issues, depending on your topology there may be serial/request ID range conflicts too. But the most critical issue is the about-to-expire certificate. A couple of quick points/questions:

[Freeipa-users] Re: Certificate Issue on IPA server

On Wed, Dec 05, 2018 at 11:37:36AM -0500, Christopher Young wrote: > Ok. (Again, I apologize for all the previous messages). > > I found the record after JUST starting up the directory on my 'ipa02' > system (the one with the pki-tomcat starting issues). I exported out > a LDIF and imported that

[Freeipa-users] Re: NoClassDefFoundError: javax/annotation/Priority

This can sometimes occur when there are mismatched versions of java libraries. Is every Java-related package (especially resteasy and tomcat packages) at the latest version? Cheers, Fraser On Fri, Dec 07, 2018 at 04:54:06PM +0100, Milos Cuculovic via FreeIPA-users wrote: > Trying to run pki cer

[Freeipa-users] Re: Trouble with pki-tomcat

On Fri, Dec 14, 2018 at 03:52:58PM +0100, Arjen Heidinga via FreeIPA-users wrote: > Dear all, > > I fear somehow my freeipa server is broken. Perhaps it is time to create > a new one, however that would be very time-consuming. > > Yesterday everything broke, after FreeIPA was upgraded. It is wor

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

Jason, Could you please attach the latest PKI debug log from /var/log/pki/pki-tomcat/ca/ - everything from the beginning of startup to where it hangs? Thanks, Fraser On Sat, Dec 29, 2018 at 11:07:07PM -, Jason Wood via FreeIPA-users wrote: > This is on all 4 systems having the issue > ipa --

[Freeipa-users] Re: light sub-cas crl / ocsp urls

On Thu, Jan 31, 2019 at 10:30:36PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On to, 31 tammi 2019, Natxo Asenjo via FreeIPA-users wrote: > > hi, > > > > at work I am testing using a light sub-ca with openvpn to limit the scope > > of hosts that can auto request a certificate. > > > > S

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

On Wed, Feb 06, 2019 at 10:09:00AM -0500, Jason L Wood via FreeIPA-users wrote: > This worked!  Deleted all the conflicts on one system, stopped pki-tomcatd > and started it again. Came up.  Worked on 3 of the 4 systems.  The last one > still has conflicts that I will clear out, and is of course th

[Freeipa-users] Re: IPA install with custom CA fails at SSL: CERTIFICATE_VERIFY_FAILED

Hi Jonny, responses inline. On Fri, Mar 08, 2019 at 06:16:14PM -, Jonny McCullagh via FreeIPA-users wrote: > I can install freeipa with ipa-server-install and no parameters fine. However > I want to be able to use IPA as a sub-CA. I have created root and > intermediate CAs using openssl and

[Freeipa-users] Re: 3rd pary Certificate for HTTP and LDAP

On Fri, Mar 08, 2019 at 09:41:25AM +0100, Ronald Wimmer via FreeIPA-users wrote: > Today I was reading the documentation on > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > Is the Prerequisite step necessary if the CA (Digicert) is already trusted > by the OS? > I beli

[Freeipa-users] Re: Certificate renewal question

On Mon, Mar 25, 2019 at 01:37:00PM -0400, Rob Crittenden via FreeIPA-users wrote: > Jeff Goddard via FreeIPA-users wrote: > > Hello everyone and thanks for providing the FreeIPA platform. > > > > I've got a situation where I have 4 FreeIPA peer servers, with 2 of them > > being CAs with replicati

[Freeipa-users] Re: User certs in the webUI

On Wed, Mar 27, 2019 at 10:11:00AM -0500, Stephen Berg (Code 7309) via FreeIPA-users wrote: > Just noticed that when I view a user in the web UI I cannot see their > certificates.  From a command line the certs show up just fine.  I'm > browsing with Firefox 66.0.2 on a RHEL 7.6 system, servers ar

[Freeipa-users] Re: CA Cert and CA Private key, or signing key.

On Mon, Apr 08, 2019 at 06:01:53PM -, Ralph Crongeyer via FreeIPA-users wrote: > Hello List, > > I'm testing SSL decryption on a firewall. The self signed CA Cert > and private signing key that I started testing with are generated > on the firewall it self which works. So I am now trying to f

[Freeipa-users] Re: Lost Dogtag admin certificate

On Tue, Apr 09, 2019 at 01:39:55PM -, Petr Benas via FreeIPA-users wrote: > Hello, > > I'm trying to solve following issue in our FreeIPA 4.6.4 deployment and ran > our of ideas, so I'm asking for an advice. The main issue is the > auditSigningCert having a printablestring subject: > > # ce

[Freeipa-users] Re: CA Cert and CA Private key, or signing key.

On Tue, Apr 09, 2019 at 12:17:17PM -, Ralph Crongeyer via FreeIPA-users wrote: > Hi Fraser, > Sure thing. I was just pointing out that for testing we used the keys > generated on the FW for testing. Now we would like to use FreeIPA as the CA > for the FW's. > So I am trying to figure out how

[Freeipa-users] Re: Cert renew error: service with name already exists.

Hi John, Looks like the Certmonger tracking requests are missing the principal name. So here's the first thing to try: wind back the clock again, restart IPA, and then issue the following certmonger commands: - getcert resubmit -i 20190203000836 -K "HTTP/@" - getcert resubmit -i 20190329001401 -

[Freeipa-users] Re: pki-tomcatd failed to start after I replace the 3rd SSL certificate for httpd and dirsrv.

On Fri, Apr 26, 2019 at 09:03:47AM -, luckydog xf via FreeIPA-users wrote: > Holy shit, fixed, > > you must keep the original CA ( xxx.com IPA CA) under /etc/http/alias and > /etc/dirsrv/slapd-XXX. > Yes, especially for DS. Dogtag uses TLS client certificate authentication to bind to LDAP.

[Freeipa-users] Re: Certmonger spawns many processes, causing huge load due to swapping

On Wed, May 15, 2019 at 05:15:38PM -0400, Rob Crittenden via FreeIPA-users wrote: > Jonathan Vaughn via FreeIPA-users wrote: > > I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as > > long as I didn't run the Dogtag server on it performance seemed > > acceptable for the purpose.

[Freeipa-users] Re: Duplicate certificate tracking request

On Fri, Jun 14, 2019 at 02:46:56PM +, Remco Kranenburg via FreeIPA-users wrote: > Hi all, > > We noticed that we have a duplicate tracking request for a certificate. > Is this normal, or can we remove one of them? We suspect that this > happened because we migrated our systems to another prov

[Freeipa-users] Re: IPA's CA - from its own to an external

On Wed, Jul 10, 2019 at 04:55:29PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote: > On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote: > > On 02/07/2019 13:13, Alexander Bokovoy wrote: > > > On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote: > > > > On 20/06/2019 14:38, Alexander Bo

[Freeipa-users] Re: IPA's CA - from its own to an external

On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote: > >> Hi, > >> please have a look at [1] Changing the Certificate chain: > >> 8< > >> Self-signed CA certificate → externally-signed CA certificate > >> Add the --external-ca option to ipa-cacert-manage renew. Th

[Freeipa-users] Re: IPA's CA - from its own to an external

On Thu, Jul 18, 2019 at 10:02:00AM +0100, lejeczek via FreeIPA-users wrote: > Is changing the chain (apart from the risk attached to doing something, > anything, and that something can go wrong) healthy? (security) eg. > Having AD CA as root then changing to another AD, then maybe back to > IPA's o

[Freeipa-users] Re: CA subsystem certificates failing to renew.

On Tue, Jul 23, 2019 at 12:50:53AM -0400, Guillermo Fuentes via FreeIPA-users wrote: > Hi list, > > I'm having an issue where the CA subsystem certificates are failing to renew. > > *** Environment: > 4 FreeIPA replica servers with CA. > > Currently CentOS 7 up-to-date. > Initially setup as Fre

[Freeipa-users] Re: CA subsystem certificates failing to renew.

On Tue, Jul 23, 2019 at 09:34:45PM -0400, Guillermo Fuentes wrote: > Thanks so much Fraser for your reply. > Looking forward to your blog post! > All the best, > Guillermo > Here you go: https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html Cheers, Fraser > O

[Freeipa-users] Re: External CA

On Mon, Jul 29, 2019 at 03:17:22PM -0400, Rob Crittenden via FreeIPA-users wrote: > Christian Reiss via FreeIPA-users wrote: > > Hey folks, > > > > Would it be possible to get FreeIPA to sign an arbitrary, non IPA > > managed CA? Background: Before FreeIPA we enrolled our own CA for > > internal

[Freeipa-users] Re: CA subsystem certificates failing to renew.

On Fri, Aug 02, 2019 at 11:53:31AM -0400, Guillermo Fuentes wrote: > Fraser, Rob and list, > Just to let you guys know this is now resolved. > > Although I didn't see any conflicts in the existing ranges, the renewal > process was using an already existing serial. So, I went ahead and followed > t

[Freeipa-users] Re: DIRSRV external signed cert questions

On Fri, Aug 09, 2019 at 11:06:58PM -, Boyd Ako via FreeIPA-users wrote: > This involves the `ipa-server-certinstall` command. > > 1) If I used the option to install P12 for dirsrv, will dirsrv being doing > OCSP validation? If so, is there away for me to disable OCSP validation? > Do you mea

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Wed, Sep 04, 2019 at 12:33:27PM -, David Etchen via FreeIPA-users wrote: > Hi Guys, > > I have a 2 host basic IPA setup both IPA servers are running dns & > ca. I'm running on Centos 7.6 using freeipa version 4.6.4 & > dogtag version 10.5.9 > > I've made a subCA called vpnca and a certifi

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Wed, Sep 04, 2019 at 03:08:30PM -, David Etchen via FreeIPA-users wrote: > Hi Fraser, > > Thanks for replying. > > I've restarted both sides like you suggested but still don't see a > difference. I can see the back off time has started again like you said. > > [04/Sep/2019:15:20:12][KeyR

[Freeipa-users] Re: Certmonger managed certificate signed by sub-ca

On Thu, Sep 05, 2019 at 09:07:48PM -, Ben Rawson via FreeIPA-users wrote: > I'm having some trouble getting sub-ca signed certificates issued and managed > by certmonger. The implementation here > [https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I > see that the -X o

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Thu, Sep 05, 2019 at 10:12:10AM -, David Etchen via FreeIPA-users wrote: > Ahh of course sudo I was trying su. > > I'm on Centos 7.6 running freeipa 4.6.4 all from the standard yum packages. > > It does look to be the exact same issue as you posted about Fedora 30. > Thanks. I will need

[Freeipa-users] Re: subCA OCSP on IPA Replica

On Fri, Sep 06, 2019 at 11:27:52AM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Thu, Sep 05, 2019 at 10:12:10AM -, David Etchen via FreeIPA-users > wrote: > > Ahh of course sudo I was trying su. > > > > I'm on Centos 7.6 running freeipa 4.6.4 all f

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > hi guys, > > how to manage those? > > Why are these missing in "standard" IPA installations and how to get > them in? > > many thanks, L. > Do you mean in the IPA CA certificate, or in the end-entity certificates? If

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Mon, Sep 09, 2019 at 11:12:54AM +0100, lejeczek wrote: > On 09/09/2019 01:07, Fraser Tweedale wrote: > > On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > >> hi guys, > >> > >> how to manage those? > >> > >> Why are these missing in "standard" IPA installations and ho

[Freeipa-users] Re: ipa-kra-install fails: Failed to update number range.

On Thu, Sep 12, 2019 at 03:33:26PM -, Dmitry Perets via FreeIPA-users wrote: > Hi, > > I've created a new IPA replica. > ipa-replica-install has completed successfully. > ipa-ca-install has completed successfully as well. > However, ipa-kra-install fails. > > In the terminal the fails right

[Freeipa-users] Re: Certmonger managed certificate signed by sub-ca

On Thu, Sep 12, 2019 at 02:10:22PM -0400, Ben Rawson via FreeIPA-users wrote: > Thanks for the quick response Fraser. I did some more digging based on your > suggestions, and I think I have a pretty good handle on whats going on. > > We actually have 3 ipa servers, with ipa01 being the CA master.

[Freeipa-users] Re: Certmonger managed certificate signed by sub-ca

Is the sub-CA key present in the Dogtag NSSDB on ipa01? To see the list of private keys, execute `certutil -d /etc/pki/pki-tomcat/alias -K'. The password is the value of 'internal=' in /etc/pki/pki-tomcat/password.conf. Cheers, Fraser On Tue, Sep 17, 2019 at 06:46:37PM -, Ben Rawson via Fre

[Freeipa-users] Re: log dispatching for IPA servers

Hi Nazan, I'm not sure what are the best practices for log dispatching on IPA servers, or what is suitable for your customer's environment and requirement. I assume the customer is running RHEL and therefore wants the solution to only use supported components. Adding freeipa-users@ for a wider a

[Freeipa-users] Re:

On Wed, Sep 25, 2019 at 10:06:49AM +, Nazan CENGİZ via FreeIPA-users wrote: > Hi, > > Who is the name of the community? > Do you have an existing slack group? > Thanks. > Find us on IRC, #freeipa on Freenode. Cheers, Fraser > > [cid:imageb28ec2.PNG@d1da10fa.4cb398f7]

[Freeipa-users] Re: Enabling more FreeIPA CA servers

Hi Stuart, Adding the freeipa-users@ mailing list for visibility. I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that. I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to

[Freeipa-users] Re: Enabling more FreeIPA CA servers

On Mon, Sep 30, 2019 at 08:19:15AM +0100, Stuart McRobert wrote: > Dear Fraser, > > Thanks, I've retained the CC but will probably need to join. > > > I think your idea to first try creating a CA replica on F28 before > > moving forward to F30 is a sensible thing to try. > > I will explore addin

[Freeipa-users] Re: Enabling more FreeIPA CA servers

pology. The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc. Cheers, Fraser > On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users > wrote: > > > > Hi Stuart, > > > > Adding the freeipa-users@

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > On 09/09/2019 01:07, Fraser Tweedale wrote: > > On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > >> hi guys, > >> > >> how to manage those? > >> > >> Why are these missing in "standard" IPA in

[Freeipa-users] Re: ipa vault: internal error, "Invalid Credential"

On Tue, Oct 01, 2019 at 10:51:37AM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ti, 01 loka 2019, Dmitry Perets via FreeIPA-users wrote: > > Hi, > > > > Posting back here, in case someone gets this issue in the future... > > > > The problem turned out to be that IPA put wrong CA cert s

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Tue, Oct 01, 2019 at 09:09:52AM +0100, lejeczek wrote: > On 01/10/2019 02:21, Fraser Tweedale wrote: > > On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > >> On 09/09/2019 01:07, Fraser Tweedale wrote: > >>> On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeI

[Freeipa-users] Re: ipa vault: internal error, "Invalid Credential"

On Tue, Oct 01, 2019 at 07:14:17PM +1000, Fraser Tweedale via FreeIPA-users wrote: > On Tue, Oct 01, 2019 at 10:51:37AM +0300, Alexander Bokovoy via FreeIPA-users > wrote: > > On ti, 01 loka 2019, Dmitry Perets via FreeIPA-users wrote: > > > Hi, > > > > >

[Freeipa-users] Re: How to make ipa root certificate available system wide

On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote: > Hello, > > I’m wanting to make our https servers use a trusted certificate within our > LAN only. So for example if I have websrv1.ny.example.com when a user uses a > machine that’s enrolled into our realm and they

[Freeipa-users] Re: How to make ipa root certificate available system wide

On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote: > Seems to happen on both Ubuntu 16.04 and 18.04. > > $ lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description:Ubuntu 16.04.6 LTS > Release:16.04 > Codename: xenial > > $ firefox --versio

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

On Thu, Oct 10, 2019 at 12:09:48PM +0100, lejeczek via FreeIPA-users wrote: > On 01/10/2019 02:21, Fraser Tweedale wrote: > > On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > >> On 09/09/2019 01:07, Fraser Tweedale wrote: > >>> On Fri, Sep 06, 2019 at 12:01:23PM +0100,

[Freeipa-users] Re: How to make ipa root certificate available system wide

On Mon, Oct 14, 2019 at 05:50:47PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 14 loka 2019, Kevin Vasko wrote: > > Welp, I'm an idiot and you are completely 100% correct. > > > > It was indeed revoked, but the http servers certificate was revoked > > and not the client..which is w

[Freeipa-users] Re: FreeIPA having problem after upgrading from Fedora 30 to 31

Is there anything in the dirsrv log relating to the connection attempt? Connection Refused could in fact be a TLS handshake error (the TLS handshake also includes certificate authentication). Cheers, Fraser On Wed, Oct 30, 2019 at 10:47:54PM +0800, Patrick Dung via FreeIPA-users wrote: > Hello E

[Freeipa-users] Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run

On Mon, Nov 25, 2019 at 02:47:46PM -, Alexander Skobeltsin via FreeIPA-users wrote: > Several days ago my freeipa (4.4) server was broken due to expiration of all > certificates ( except ca of course). Because of in 4.4 was no such handy > tool, as ipa-cert-fix, but lots of recovery methods

[Freeipa-users] Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run

On Tue, Nov 26, 2019 at 09:46:02AM +0300, Александер Скобельцын wrote: > Of course. > > dn: uid=ipara,ou=people,o=ipaca > cn: ipara > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: cmsuser > userCertificate: > MIIDXDCCAkSgAwIB

[Freeipa-users] Re: FreeIPA having problem after upgrading from Fedora 30 to 31

Hi Patrick, I want to follow up with this. Did you get things working again? With the latest packages for both f30 and f31, I upgraded a FreeIPA installation from f30 to f31 without encountering any problems. Perhaps the jss issue caused the system to enter a poor state during the initial ipa-s

[Freeipa-users] Re: FreeIPA having problem after upgrading from Fedora 30 to 31

On Wed, Nov 27, 2019 at 07:08:45PM +0800, Patrick Dung wrote: > Hi Fraser, > > I got one FreeIPA server that use the original jss in F31. It had problem > in upgrading. > But it resume upgrading after upgrading to a newer jss. However it still > have java/tomcat security problem described in > htt

[Freeipa-users] Re: /var/log/pki/pki-tomcat/ca/debug

On Tue, Dec 10, 2019 at 09:22:19AM +0100, Ronald Wimmer via FreeIPA-users wrote: > I cannot remember to have set anything to "debug" regarding CA. > Nevertheless, these files are growing continuously: > > -rw-r-. 1 pkiuser pkiuser 1.6G Dec 10 09:15 > /var/log/pki/pki-tomcat/ca/debug > -rw-r---

[Freeipa-users] Re: COPR repositories changes

On Thu, Dec 19, 2019 at 05:17:05PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > Hi, > > thanks to the recent changes done by Dinesh(master[1] and ipa-4-8[2]), > it is now possible to have continuous rebuild of FreeIPA master and > ipa-4-8 branches using COPR repositories. > > We now have

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On Wed, Sep 20, 2017 at 08:50:03AM +1000, Lachlan Musicman via FreeIPA-users wrote: > 2017-09-19T22:30:50Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-09-19T22:35:51Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade ma

[Freeipa-users] Re: Freeipa and Datadog

On Mon, Oct 09, 2017 at 02:29:09PM +0200, Gabriel Stein via FreeIPA-users wrote: > Hi all, > > I was discussing a issue with @ftweedal and I will continue doing some > questions here. > > I have installed Freeipa with an additional Replica Server, but to me some > concepts are not so clear. > >

[Freeipa-users] Re: Freeipa and Datadog

On Mon, Oct 09, 2017 at 02:39:57PM +0200, Gabriel Stein via FreeIPA-users wrote: > Oh, sorry for the typos... (thanks @callum) > > '/s/Datadog/Dogtag/g' > Datadog is a pretty good name though! :) > Best Regards, > > Gabriel > > Gabriel Stein > -- > Gabriel Ferraz St

[Freeipa-users] Re: Upgrading with GoDaddy SSL cert for https only

On Wed, Oct 11, 2017 at 12:50:39PM -0400, Mark Haney via FreeIPA-users wrote: > I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7 > (along with updating C7 to 7.4) and it bombed spectacularly.  It seems the > upgrade process doesn't like the GoDaddy SSL cert we supplied for

[Freeipa-users] Re: Unable to sign CSR with multiple CN in subject

On Thu, Oct 19, 2017 at 10:40:12AM +, Joel Kåberg via FreeIPA-users wrote: > Hello > > I'm trying to sign an CSR which has multiple CN in the certificate > subject. When the certificate is signed it only contains one CN in > the subject (should be 2, site1.domain.tld and site2.domain.tld), > a

[Freeipa-users] Re: IPA CA allow CSR SAN names in external domains

On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users wrote: > Hello > > I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be > able to add SAN's for a different dns domain than exists in the IPA realm. > The dns for 'otherdomain.com' is handled by active dir

[Freeipa-users] Re: Can't create new CA replica

On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Still looking for any ideas on this one so giving it a bump. > > Next time please don't wipe out all the context. > > Fraser, it seems to be having a problem connecting to the security do

[Freeipa-users] Re: IPA Password Vault

On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote: > > > Hello, > > I have recently been looking into the password vault for IPA and would > like to implement however I have not been able to find an answer to a > compliance question on it yet. > > >Does the IP

[Freeipa-users] Re: IPA Password Vault

o target servers, and who can perform particular privileged operations on target servers. FreeIPA enables this approach. Cheers, Fraser > > Sean Hogan > > > > > > > > From: Fraser Tweedale via FreeIPA-users > > To: FreeIPA users list > Cc:

[Freeipa-users] Re: Expired certificate problem

On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote: > After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at > server. Request failed with status 500: Non-2xx response from CA REST API: > 500." when certmonger tries to renew httpd/dirsrv certificate.

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users wrote: > Hi Fraser, > > Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto: > > On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users > > wrote: > > >

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote: > Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto: > > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), > > not the FreeIPA DIT. You should check on a CA replica. >

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote: > Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto: > > "CA replica" just means any IPA master that has the Dogtag CA > > installed. > > > > You have a Dogt

[Freeipa-users] Re: Expired certificate problem

On Wed, Jan 10, 2018 at 01:45:04PM +0100, Giulio Casella wrote: > Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto: > > Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto: > > > Fraser, some more info: > > > > > > In /var/log/pki/pki-tomcat/localhost_access_log.2018-0

[Freeipa-users] Re: Expired certificate problem

On Wed, Jan 10, 2018 at 04:02:57PM +0100, Giulio Casella wrote: > Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto: > > Great! I'm glad you got to the bottom of it. Just curious - were > > there / are there multiple authority entries in LDAP underneath > &

[Freeipa-users] Re: Problems with KeyRetrieverClass when setting up replica with CA

On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users wrote: > Hello! > Yesterday I tried migrating a physical machine (ipa1) that was a FreeIPA CA > CRL master in my VM cluster. I followed the guide at [1] to migrate che CRL > master to another replica (ipa2) and uninstalle

  1   2   3   >