Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Hi All, Just following on from this, I have performed an installation without --setup-ca and it has completed successfully. I now need to understand what impact this might have, is it the case that I can still install/configure the CA component? Is there any documentation on this action? Also

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Ah, thanks for that Lachlan - its always reassuring to hear that its not just me! As mentioned above I have it running without the CA so that's a good start. I am sure we will upgrade as well once 4.5 becomes stable and GA for CentOS. I'm not expecting that to happen quickly so will have to work

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

We are seeing this. I'm not at work, but I think it's bug report 6766. Patch has already been committed (bot by us), we're waiting for IPA 4.5. cheers L. -- "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

https://pagure.io/freeipa/issue/6766 4.5.1 - I stand corrected. Can add more tomorrow. -- "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and

[Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Hi All, I am currently stuck trying to setup the first replica of our master IPA server. I have tried a number of different approaches including escalating from a client and nothing is working for me. I perform a full OS reset each time I get stuck. I'm running CentOS 7.2 with the FreeIPA 4.4.0

[Freeipa-users] IMPORTANT: Migration of FreeIPA-users list to lists.fedorahosted.org

Dear FreeIPA-users subscribers, due to various issues with the current mailing lists, the FreeIPA-users list is being migrated to a new provider, lists.fedorahosted.org. Information about the new list: E-mail address: freeipa-us...@lists.fedorahosted.org Archives:

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Please note that commits in #6766 will not fix this issue, the issue is on dogtag side, please see https://pagure.io/dogtagpki/issue/2646 Sorry for troubles On 18.05.2017 12:19, Callum Guy wrote: Haha, looks like i'm going CA-less for a while on the replica. I don't see any immediate

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Haha, looks like i'm going CA-less for a while on the replica. I don't see any immediate requirement for one so time to get on with my life! I'll post back if anything changes but I'm probably stuck waiting for the upgrade too.. On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Sorry cobber. We only found 6766 today - we've been tackling it on and off for a couple of weeks :) -- "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards

Re: [Freeipa-users] I think I lost my CA...

On 04/26/2017 06:02 PM, Rob Crittenden wrote: Bret Wortman wrote: So I can see my certs using cert-find, but can't get details using cert-show or add new ones using cert-request. # ipa cert-find : -- Number of entries returned 385

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Thanks for that Martin. The man page for ipa-ca-install suggests i could pass in my replica file to create a "CA-less" configuration. Is this what i want or is a CA-full appropriate? All I want to achieve is the additional resilience provided by a replica which can both authorise and sign

Re: [Freeipa-users] Cant locate CSN after yum update

hi, there was a change that in the case of a missing csn ds would not silently use a "close" one and continue, but log an error, backoff and retry - after updates on other masters the staring csn coudl change and replication continue. Now, in your case the csn reported missing:

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

It will create clone of the original CA, it will work as backup not a separate CA. I'm afraid it will result into the same behavior because it uses almost the same code, but as I said before this issue is on dogtag side and not always reproducible. On 18.05.2017 14:44, Callum Guy wrote:

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

OK Martin, thanks for the explanation - i suspected it might not work quite correctly. On that basis I have decided to hold off an wait for a more optimistic situation. I really appreciate the advice, looks like my time will be better spent configuring the clients to use the replica! On Thu, May

[Freeipa-users] Cant locate CSN after yum update

Hi all, Did a yum update on one of my replicas, non CA master, and upgrade was successful (ipupgrade.log) said so. Hwoever, now every few seconds I get the following message. https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= Does anybody know how to proceed

Re: [Freeipa-users] I think I lost my CA...

Oops, the slapd messages are arriving every 60s, not 5m. On 05/18/2017 08:56 AM, Bret Wortman wrote: httpd_error seems to give the most information. When i try to use ipa cert-show: ipa: INFO: [jsonserver_kerb] ad...@damascusgrp.com: ping(): SUCCESS (111)Connection refused: AH00957: AJP:

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

*Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud wrote: > On 05/15/2017 08:33 PM, Michael Plemmons wrote: > >> I have done more searching in my logs and I see the

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

On 05/18/2017 03:49 PM, Michael Plemmons wrote: *Mike Plemmons | Senior DevOps Engineer | CROSSCHX * 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud

Re: [Freeipa-users] Cant locate CSN after yum update

Dear Ludwig, Thanks for your help in IRC to guide me in running the right commands. Here is the output, toto1 and toto2 are CA master, and toto3 and toto4 are non CA master. The problematic replica was toto3, and after re-init, we haven’t seen any errors in the log anymore.

Re: [Freeipa-users] Cant locate CSN after yum update

Hi Ludwig, Since we were scared, we did a full re-init of that specific replica from the CA master, and it looks like the issue is not appearing anymore. Is this sufficient, or should we still investigate ? Thanks for your help! Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

SOLVED! Thank you Flo! That did the trick. Once I made the change to the certificate and restarted the IPA services everything came back up like it was supposed to. High five! *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On

Re: [Freeipa-users] Replica cannot be reinitialized after upgrade

Thanks Ludwig for the suggestion and thanks to Maciej for the confirmation from his end. This issue is happening for us for several weeks, so I don’t think this is a transient problem. What is the best way to sanitize the logs without removing useful info before sending them your way? Will

Re: [Freeipa-users] Freeipa and limiting access by group (memberOf)

On Thu, May 18, 2017 at 10:37:57AM -0600, Janet Houser wrote: > > > On 5/17/17 9:22 AM, Jakub Hrozek wrote: > > On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > > > Hi Folks, > > > > > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > > > smoothly

[Freeipa-users] CA CRL not tracking any certificates. Normal?

Hi, I just saw that my CA CRL master is not tracking any certs. However, my other CA master replica is tracking 8 certificates. Is this normal and expected? Thanks, Christophe -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] I think I lost my CA...

httpd_error seems to give the most information. When i try to use ipa cert-show: ipa: INFO: [jsonserver_kerb] ad...@damascusgrp.com: ping(): SUCCESS (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed AH00959: ap_proxy_connect_backend disabling

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

On 05/15/2017 08:33 PM, Michael Plemmons wrote: I have done more searching in my logs and I see the following errors. This is in the localhost log file /var/lib/pki/pki-tomcat/logs May 15, 2017 3:08:08 PM org.apache.catalina.core.ApplicationContext log SEVERE: StandardWrapper.Throwable

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Thanks Martin, really appreciate the additional information. Are you aware of a separate guide for installing DogTag/PKI on top of FreeIPA - basically I am happy to install separately if it doesn't compromise the FreeIPA server configuration, i'm not clear on whether this is possible without a

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

ipa-ca-install will install on top of FreeIPA CA-less replica, nothing else, you really don't want to do it manually. On 18.05.2017 14:12, Callum Guy wrote: Thanks Martin, really appreciate the additional information. Are you aware of a separate guide for installing DogTag/PKI on top of