On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote:
> Thanks Jakub for the detailed analysis... with those inputs , I was able to
> nail down the issue.
>
> I had migrated this host from openldap to freeipa.. However, nslcd daemon
> was still running and the sylog pointed me to th
On 1.8.2016 09:08, Jakub Hrozek wrote:
> On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote:
>> Thanks Jakub for the detailed analysis... with those inputs , I was able to
>> nail down the issue.
>>
>> I had migrated this host from openldap to freeipa.. However, nslcd daemon
>> was
On 29/07/16 15:35, Andreas Ladanyi wrote:
Hi,
is it simply possible to move from ca to a ca-less environment in ipa ?
Because its ok for me to only use certificates in web and ldap
components. I use freeipa 4.2 , fedora 23.
regards,
Andreas
Hello Andreas!
There is no tool that would do this
I set time back on master ca and was able to renew its certs except for one
that has yet to expire but should have renewed. I tried to resubmit it but it
still does not renew and status says NEED_CSR_GEN_TOKEN. We do have a go daddy
cert we use as well but it is valid still. Is it because of the
Rob,
Thanks for pointing me in the right direction. However after following the
instructions in the above mentioned doc I noticed a few things that are odd
and have a new problem. The first odd thing I noticed is that when I run
service pki-cad status it shows that my PKI Subsystem Type is "CA Clon
sipazzo wrote:
I set time back on master ca and was able to renew its certs except for
one that has yet to expire but should have renewed. I tried to resubmit
it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do
have a go daddy cert we use as well but it is valid still. Is it
Hi,
I am experiencing slow logins and sudo authentication for servers joined to my
FreeIPA domain. I have been following the other recent thread on slow logins
and believe my issue is different.
I have replication setup with 2 FreeIPA servers at each of 3 sites. The
replication is working we
A quick update. We did some digging on the segfault problem and I think it
was due to having to update the trusts on the CA cert. So we updated the
certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still getting the
AUTH_FAIL messages in the d
Adam Lewis wrote:
A quick update. We did some digging on the segfault problem and I think
it was due to having to update the trusts on the CA cert. So we updated
the certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still getting the
AUTH_FA
If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.
Thanks
On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden wrote:
> Adam Lewis wrote:
>
>> A quick update. We did some digging on the segfault problem and I think
>> i
On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> I having challenges resuming ipa-server-install --external-ca. I am
> reasonably
> confident I am not providing the right certificate and/or format from my
> off-line root CA using 389 and Dogtag.
>
> Does anyone have instructions on how to acc
Hi Rob,
Just a quick summary on my certificate renew experience.
I started with a worst case scenario assumption - original CSR and key
is no longer available.
1. export old certificate in pkcs12 format
pk12util -d /etc/httpd/alias -n 'certificate alias' -o /tmp/ipa.p12 -k
/etc/httpd/alias/pw
Adam Lewis wrote:
If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.
The usercertificate in LDAP had the BEGIN/END stripped, right?
I'll cc a couple of the dogtag developers to see what they think.
rob
Thanks
Yup, It's just the text string. I don't know how much this matters but when
I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what it's
been since we installed IPA. Is there some way/reason for me to generate a
whole ne
Adam Lewis wrote:
Yup, It's just the text string. I don't know how much this matters but
when I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at "
https://ipa.local.domain:9443/ca/agent/ca/profileProcess"; replied: 1:
Authentication Error
And the debug log shows:
Sign
Adam Lewis wrote:
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess"; replied: 1:
Authentication Error
And the de
Hi there,
Is there anyone out there with a good system for storing users,
groups, hosts, etc.. in some sort of version controlled repo w/ flat
files that could plug into "two-man" workflows for user-account
creation and privilege/group membership changes, etc.
There's some github projects out the
William,
On 29.07.2016 at 22:27, William Muriithi wrote:
> Is anyone here been successful in getting external CA to sign this
kind of certificate? I have just tried to convince DigiCert for 2 days
that there is no harm issuing this kind of certificate as long us it's
restricted to one domain
Mateusz
> >
> > Which external CA would be more open to signing this kind of
certificate?
>
> I'm afraid that there is not a single external CA that would sign request
for CA certificate. They need to make sure that certificate would not be
used for fraudulent purposes (for e.g. Man-in-the-Middle
William,
On 02.08.2016 at 00:41, William Muriithi wrote:
>
> > > Which external CA would be more open to signing this kind of
certificate?
> >
> > I'm afraid that there is not a single external CA that would sign
request for CA certificate. (...)
>
> Understandable. Did speak with them and re
On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik wrote:
> On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> > I having challenges resuming ipa-server-install --external-ca. I am
> reasonably
> > confident I am not providing the right certificate and/or format from my
> > off-line root CA using 389
On Mon, Aug 01, 2016 at 02:35:04PM +, Neal Harrington | i-Neda Ltd wrote:
> Hi,
>
>
> I am experiencing slow logins and sudo authentication for servers joined to
> my FreeIPA domain. I have been following the other recent thread on slow
> logins and believe my issue is different.
>
>
> I
23 matches
Mail list logo