On 01/10/2018 10:06 AM, Harald Dunkel via FreeIPA-users wrote:
On 12/14/17 17:09, Harald Dunkel via FreeIPA-users wrote:
Hi Flo, Rob,
On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
The files should contain multiple certificates (IPA CA and the
external CA certificates). I
On 12/14/17 17:09, Harald Dunkel via FreeIPA-users wrote:
Hi Flo, Rob,
On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
The files should contain multiple certificates (IPA CA and the external CA
certificates). If it is not the case, please check first if there were AVC
iss
On 12/14/2017 05:09 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo, Rob,
On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
The files should contain multiple certificates (IPA CA and the
external CA certificates). If it is not the case, please check first
if there were AVC
Hi Flo, Rob,
On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
The files should contain multiple certificates (IPA CA and the external CA
certificates). If it is not the case, please check first if there were AVC
issues (if running in SElinux enforcing mode), and feel free t
On 12/13/2017 04:39 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:
My concern is, it looks much more restricted than the old root CA
cerificate:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname
Hi Flo,
On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:
My concern is, it looks much more restricted than the old root CA
cerificate:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
Hi Flo,
On 12/12/17 2:50 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
I would try to remove the new root CA from LDAP and re-import it using
ipa
On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
I would try to remove the new root CA from LDAP and re-import it using
ipa-cacert-manage install -t C,,
This should create the entry with the appropriat
Hi folks,
any ideas about how to proceed? Is this bbr? Do I have to reactivate
the old pki to get out of this mess?
Every helpful comment is highly appreciated.
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscrib
Hi Flo,
On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
>
> I would try to remove the new root CA from LDAP and re-import it using
> ipa-cacert-manage install -t C,,
> This should create the entry with the appropriate attributes.
>
> Flo
Result: The new root CA certificate
On 12/08/2017 01:08 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote:
Hi Harald,
the external CAs and FreeIPA CA must be stored in the LDAP server
(cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add
external CAs to the LDA
Hi Flo,
On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote:
Hi Harald,
the external CAs and FreeIPA CA must be stored in the LDAP server
(cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add external
CAs to the LDAP server is to run ipa-cacert-manage install.
ACK
You need f
On 12/08/2017 08:01 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo and Andrew,
thanx for you replies, but I think you missed the point:
The new (external) root CA certificate and the new ipa
CA certificate are *in* freeipa already, but on the host
I had used for running ipa-cacert-manage to
Hi Flo and Andrew,
thanx for you replies, but I think you missed the point:
The new (external) root CA certificate and the new ipa
CA certificate are *in* freeipa already, but on the host
I had used for running ipa-cacert-manage to deploy this
new PKI the database in /var/lib/pki/pki-tomcat/ca/a
Harald,
Maybe in the ldap certificate container you already have the same
certificate you're trying to install, but it has another key or untrusted?
Then try to delete it via ldapdelete and certutil -d and then try again
install new one.
2017-12-07 17:20 GMT+03:00 Harald Dunkel via FreeIPA-users <
On 12/7/17 2:53 PM, Florence Blanc-Renaud wrote:
Hi,
if you run:
ipa-cacert-manage install -t C,,
ipa-certupdate
then the new root certificate will be installed in all the required NSS
databases. Do not forget to run ipa-certupdate on all the FreeIPA machines.
This did not work:
[root@i
On 12/07/2017 09:17 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Rob,
On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote:
Harald Dunkel via FreeIPA-users wrote:
Here is what I see on the broken ipa server:
[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate
PS: I have derived another CA replica "ipa0" from ipa2.
certutil shows different trustargs again. Shouldn't ipa2
and the new ipa0 have identical trustargs?
[root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
Hi Rob,
On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote:
Harald Dunkel via FreeIPA-users wrote:
Here is what I see on the broken ipa server:
[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attribute
Harald Dunkel via FreeIPA-users wrote:
> Hi Rob,
>
> On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
>> Harald Dunkel via FreeIPA-users wrote:
>>> See attachment.
>>>
>>> Please note the "invalid certificate". Du you remember the thread
>>> on freeipa-devel about "ipa-client-install (3.
Hi Rob,
On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
> Harald Dunkel via FreeIPA-users wrote:
>> See attachment.
>>
>> Please note the "invalid certificate". Du you remember the thread
>> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
>> after root certificate cha
Harald Dunkel via FreeIPA-users wrote:
> See attachment.
>
> Please note the "invalid certificate". Du you remember the thread
> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
> after root certificate change via ipa-cacert-manage" and the
> output of "ipa-certupdate -v" I had p
See attachment.
Please note the "invalid certificate". Du you remember the thread
on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
after root certificate change via ipa-cacert-manage" and the
output of "ipa-certupdate -v" I had posted?
Regards
Harri
debug.txt.gz
Description:
Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
>
> Platform: Centos 7.4, ipa 4.5.0-21
>
> The ipa service cannot be started anymore. Error message:
>
> # systemctl status ipa
> * ipa.service - Identity, Policy, Audit
>Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor
>
24 matches
Mail list logo