so, I have one master now and one client/replice... how do I go with building
a second master? is that the same as building just another ipa-server? like
ipa-server-install?
Do I need to have the same CA on both masters?
___
FreeIPA-users mailing
okay, so I get that part. Will the two masters with the CA service be able to
be replicas of each other?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hello guys,
I'm starting fresh with a 3 node cluster for freeipa. I just want to ask for
best practices here.
Should I build 3 nodes, each with the ipa-server, http, etc, etc... and then
try to replicate? or
should I build 1 node with everything and then build the other two nodes as
Hello flo,
Thanks everyone for the support. I have tried to start the service and I will
like to attach the errors I'm getting. Please review attachments. Let me know
what you think I should do.
___
FreeIPA-users mailing list --
Sorry, here is the link for the paste errors:
https://justpaste.it/57k4t
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
okay, now I am getting the following error:
Command: `pki-server cert-fix --ldapi-socket /var/run/slapd-.socket
--agent-uid ipara --cert sslserver --cert subsystem --cert ca_ocsp_signing
--cert ca_audit_signing --extra-cert 6' returned non-zero exit status 1
The ipa-cert-fix command failed.
I'm running version 4.6.8 and it does have the ipa-cert-fix. But when I run
it, I get this errors:
cannot connect to 'ldapi:.socket':
The api-cert-fix command failed.
Thoughts? Thank you
___
FreeIPA-users mailing list --
Thanks, I got all the services up and running, yet I can't get the certs to
renew.
When I look at certmonger it seems to be having dbus connection issues. Are
those normal? I have tried to use the `resubmit` option for the certs ID but
that doesn't seem to work.
Thoughts?
I'm trying to clean up the verbose logs, but I see four issues:
1. certutil: Could not find cert: trasnportCert cert-pki-kra
2. certutil: Could not find cert: storageCert cert-pki-kra
3. certutil: Could not find cert: auditSigningCert cert-pki-kra
4. Failed to update password
This one is
Hello guys,
The team was trying some new things and we got some errors we would like to
share:
ERR - _csngen_adjust_local_time - Adjustment limit exceeded; value - ,
limit - (I'm not sure if you care to see the actual numbers)
ERR - ldbm_back_modify - failed to generate modify CSN for
but it seems that I'm getting the clock skew error for the directory service
every time I try to resubmit the cert renewal because the rolling back of the
date/time to the local server is affecting the clock for the directory service.
I think that's causing my renewals to fail.
not sure I follow your answers, can you clarify what I should be doing to get
those Errors or the `clock skew` issue resolved?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hello Flo,
We have three (3) servers and two of them are replicas.
From the cli:
# `ipa-getcert list` shows two certs both expired,
# `getcert list` shows 8 certs, 7 of those expired.
We are working from the CA master and trying everything we have listed above.
We tried the ipa-cert-fix
All my certs in IPA are expired and no matter what I do I can't get `getcert`
to renew them. I have changed the date back to before they expired but when I
try to restart IPA is trying to do an upgrade and fails.
I'm able to start kdc, directory services, http, pki-tomcat and certmonger, but
Hello,
I have setup a bastion host with an IPA client in order to control access to
the bastion host by groups. I have users in different groups, but I just got
word that people outside the group / HBAC rule can access and login with their
IPA credentials. Everything seems okay with the
okay, I think the rule `Matched rules: allow_all` was causing the issue... I
tested after disabling that rule and its working now. How can we close this
ticket?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe
so, after disabling the `allow_all` I'm having issues... this user is allowed
in the `deepcore-bastion` rule, but he's getting denied:
[root @ ldap01] ~
$ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service
ssh
-
Access granted: False
from: ipa hbacrule-find
```
$ ipa hbacrule-find
7 HBAC rules matched
Rule name: admins_allow_all
Host category: all
Service category: all
Enabled: True
Rule name: allow_all
User category: all
Host category: all
Service category: all
[root @ ldap01] ~
$ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service
ssh
Access granted: True
Matched rules: allow_all
Not matched rules: admins_allow_all
Not matched rules: allow_systemd-user
Not matched rules:
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running.
All other services are running fine, I can kinit admin and search for users, I
can also log into the UI and see everything. When I try to start the service I
see the following errors:
Mar 11 20:44:44
also, here is more in the journal:
-- Logs begin at Mon 2024-03-11 19:39:50 UTC, end at Tue 2024-03-12 02:11:21
UTC. --
Mar 11 19:40:19 ldap01.app.uaap.maxar.com systemd[1]: Starting PKI Tomcat
Server pki-tomcat...
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: Java virtual machine
and this is from the ca/debug file:
2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect
to LDAP server: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8181) Peer's Certificate has
[root @ ldap01] /home/rocky
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
1 service(s) are not running
starting ipa is failing for the
[root @ ldap01]
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT
also, am I looking at the correct one here?:
[root @ ldap01]
$ certutil -L -d
I don't see that... here is where it is at the moment, and its been there for a
long while:
[root @ ldap02] /var/log
$ ipa-ca-install
Directory Manager (existing master) password:
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3
Found this in the logs:
INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
Technologies Inc,L=Herndon,ST=Virginia,C=US
WARNING: UNTRUSTED ISSUER encountered on
'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
I don't get it, the cert is valid and the master seems to be working just fine.
Any ideas as to how I need to approach this issue? I can rebuild the replicas
and get the certs updates done on each of the replicas, but I have tried that a
few times and it seems to still be unhappy with it.
Hey guys,
I finished installing two replicas of my master. Both installations of the
replicas completed successfully, but when I try to run the ipa-setup-ca it is
having some issues.
The errors I get are:
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
Hello Flo,
sorry for the delay, I ran the ipa-healthcheck and all I got was warnings. I'm
going to try attaching the file here. I replaced the ldap01.app.uaap.maxar.com
with a new one with the DN= ldap.app.uaap.maxar.com and DNS aliases for
ldap[01..03].app.uaap.maxar.com because it made
29 matches
Mail list logo