Re: [Freeipa-users] Where should the CA Location

2016-06-24 Thread Florence Blanc-Renaud
Hi Disclaimer: I'm new on this mailing list but willing to share experience :) Did you use "ipa-cacert-manage install -t C,," to install your external CA certificate? This command copies the certificate in cn=certificates,cn=ipa,cn=etc,dc=xxx After this, you can use ipa-certupdate which

Re: [Freeipa-users] FreeIPA / Change SSL Certificate for Web Server

2016-07-22 Thread Florence Blanc-Renaud
On 07/22/2016 05:08 AM, Devin Acosta wrote: I have just installed a newly created FreeIPA server running CentOS 7.2. I have a (wildcard) SSL Certificate that I want to use for the FreeIPA Web Management GUI. I tried to follow the directions listed here at the URL of

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-03 Thread Florence Blanc-Renaud
On 08/02/2016 04:52 AM, Richard Harmonson wrote: On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik > wrote: On 07/31/2016 07:45 AM, Richard Harmonson wrote: > I having challenges resuming ipa-server-install --external-ca. I am reasonably

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-04 Thread Florence Blanc-Renaud
On 08/03/2016 07:54 PM, Richard Harmonson wrote: On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote: On 08/02/2016 04:52 AM, Richard Harmonson wrote: On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik <pvob

Re: [Freeipa-users] updating certificates

2016-08-10 Thread Florence Blanc-Renaud
Hi Josh, depending on your IPA version, you may consider using ipa-server-certinstall and ipa-certupdate. ipa-server-certinstall can be used to install a new certificate for Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the CA certificates found in the LDAP server.

Re: [Freeipa-users] regenerate certificate

2016-07-21 Thread Florence Blanc-Renaud
On 07/20/2016 10:04 PM, mohammad sereshki wrote: hi I check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate them but command "getcert list" shows epirtion certificates are

Re: [Freeipa-users] A question related the passwords in the ldap

2016-07-05 Thread Florence Blanc-Renaud
Hi Bahan, the user passwords stored in LDAP follow the password policy configured in the LDAP server, which defines password syntax requirements as well as the password encryption algorithm. You can find more information in RedHat Directory Server Administration Guide, in the section Managing

Re: [Freeipa-users] Third Party Certificate

2016-08-02 Thread Florence Blanc-Renaud
On 08/02/2016 03:17 PM, Ian Harding wrote: Hello! I have been using FreeIPA for a while in our network with 6 replicas and it's been working great. I seem to have made a wee mistake though and I'd appreciate some help. I did this:

Re: [Freeipa-users] How to reisnatll the ca or the dogtag system

2016-06-30 Thread Florence Blanc-Renaud
Hi, the message "LDAP Server Down" seems to indicate that the LDAP server is not started. You can restart it using: systemctl restart dirsrv@REALM.service Flo. On 06/29/2016 03:58 AM, Barry wrote: Hi: Errors occur ...cert ni problem ..seem ca error and cannot tract cert. thx

Re: [Freeipa-users] Where should the CA Location

2016-06-30 Thread Florence Blanc-Renaud
C,, Flo. On 06/29/2016 12:26 PM, barry...@gmail.com wrote: It is 3.0 version cannot use those commands. 2016-06-25 2:06 GMT+08:00 Florence Blanc-Renaud <fren...@redhat.com <mailto:fren...@redhat.com>>: Hi Disclaimer: I'm new on this mailing list but will

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

2017-02-01 Thread Florence Blanc-Renaud
On 02/01/2017 05:47 PM, Steve Huston wrote: Would it be better to file this as a new bug, or reopen 4291? Hi, we are already aware of the problem and working on a fix (please see https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and https://fedorahosted.org/freeipa/ticket/6575). HTH,

Re: [Freeipa-users] FreeIPA Help

2017-02-22 Thread Florence Blanc-Renaud
On 02/22/2017 04:41 AM, Daniel Schimpfoessl wrote: Is there a way for me to export my data (users, groups, ...), rebuild the server and import the data again? Daniel Hi Daniel, please keep the mailing list in CC as the content may also benefit other users with similar issues. Does anyone

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Florence Blanc-Renaud
, though? Maybe the cert installation needs some hardening. Flo. No questions further actually :) Cheers, Matt 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: On 02/15/2017 05:40 PM, Matt . wrote: Hi, Is there any update on this ? I need to install 3 other instances

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-21 Thread Florence Blanc-Renaud
will look through the steps closely tomorrow and will create some lineup here. Cheers, Matt 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: On 02/16/2017 09:55 PM, Matt . wrote: Hi Flo! (if I may call you like that, saves some characters in typing but with this extra

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-20 Thread Florence Blanc-Renaud
On 02/17/2017 10:36 AM, Tiemen Ruiten wrote: I went through that bugreport, particularly this section... OK, I think I found the error. On the logs I get something like this *before* the failing dirsrv restart: 2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Florence Blanc-Renaud
: Fedora 24 Freeipa VERSION: 4.4.2, API_VERSION: 2.215 I installed this server as self-signed CA Cheers, Matt 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: On 02/14/2017 05:43 PM, Matt . wrote: Hi Florance, Thanks for your update, good to see some good into ab

Re: [Freeipa-users] Switch certificates from external CA to internal

2017-01-16 Thread Florence Blanc-Renaud
tomcat/alias -n 'caSigningCert cert-pki-ca' -P -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"' HTH, Flo. Jeff On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <f...@r

Re: [Freeipa-users] 3rd party Certificate install

2016-09-13 Thread Florence Blanc-Renaud
Hi, ipa-cacert-manage must be run as root but does not require any Kerberos ticket. You can run the following command to check your directory manager password: /usr/bin/ldapsearch -h localhost -p 389 -D "cn=directory manager" -w '#-!???<<' -b "" -s base If the password is wrong, you

Re: [Freeipa-users] Question Test 3rd Party Certificate

2016-09-26 Thread Florence Blanc-Renaud
On 09/24/2016 02:37 PM, Günther J. Niederwimmer wrote: Hello, what is the best way to test a new installed 3rd Party certificate ? I hope i have now install (with big problems) the new certificate on clients and servers. But now is the big question is this all working correct together (?), or

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Florence Blanc-Renaud
ple.com <http://ipa2.example.com>, hence the users who visit https://ipa2.example.com will experience security warning from the browser, as expected... What could be a solution for this? Thanks again! On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@red

Re: [Freeipa-users] Want to extend schema for ipahost

2016-09-19 Thread Florence Blanc-Renaud
On 09/19/2016 01:31 PM, Deepak Dimri wrote: Hi All, I want to add couple of custom attribute to IPA Host. I have already added custom attributes and objectclass "AWSInstanceDetails" to my schema succesfully but when i am trying to modify existing host to include the new objectclass i am getting

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

2016-09-22 Thread Florence Blanc-Renaud
Hi Korey, I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12 probably doesn't contain the trust flags for some certificates. You can check by running pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password and see if the output displays "Trust Flags:

Re: [Freeipa-users] 3rd party Cert install now IPA total broken

2016-09-21 Thread Florence Blanc-Renaud
On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote: Hello. Thanks for the first help, Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud: On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom

Re: [Freeipa-users] 3rd party Cert install now IPA total broken

2016-09-19 Thread Florence Blanc-Renaud
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Florence Blanc-Renaud
Hi, The instructions that you followed are used when you want to install FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue certificates), and FreeIPA CA is signed by a 3rd party CA. Maybe your goal is just to use a 3rd party certificate for IPA's LDAP server and

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Florence Blanc-Renaud
-server.html#install-server-without-ca Thanks again! On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote: Hi, The instructions that you followed are used when you want to install FreeIPA with an embedded Certificate A

Re: [Freeipa-users] How to get a new cert

2016-09-27 Thread Florence Blanc-Renaud
Hi Bret, would the following be helpful? In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 17.1.1 Requesting New Certificates for a User, Host, or Service [1] Flo. [1]

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Florence Blanc-Renaud
ains the key, the new certificate and IPA CA certificate. HTH, Flo. Merci! Bret On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote: Hi Bret, would the following be helpful? In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 17.1.1 Requesting New Certificates

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-20 Thread Florence Blanc-Renaud
19, 2016 at 11:49 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote: On 10/19/2016 05:23 PM, beeth beeth wrote: I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/arch

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-20 Thread Florence Blanc-Renaud
On 10/19/2016 08:18 PM, Bertrand Rétif wrote: *De: *"Bertrand Rétif" *À: *freeipa-users@redhat.com *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 *Objet: *Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread Florence Blanc-Renaud
On 10/19/2016 05:23 PM, beeth beeth wrote: I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html ).

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-11-22 Thread Florence Blanc-Renaud
pport, I tried to fix this issue for days! Regards Bertrand -- Bertrand Rétif Phosphore Services Informatiques - http://www.phosphore.eu Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 -------- *De: *"Floren

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-11-22 Thread Florence Blanc-Renaud
On 11/22/2016 11:50 AM, Bertrand Rétif wrote: *De: *"Florence Blanc-Renaud" <f...@redhat.com> *À: *"Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com *Envoyé: *Mardi 22 Novembre 2016 11:33:45 *Objet: *Re: [Freeipa-users] Impossib

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-11-22 Thread Florence Blanc-Renaud
sers] Impossible to renew certificate. pki-tomcat issue *De: *"Florence Blanc-Renaud" <f...@redhat.com> *À: *"Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@re

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-11-25 Thread Florence Blanc-Renaud
On 11/23/2016 02:25 PM, Bertrand Rétif wrote: *De: *"Florence Blanc-Renaud" <f...@redhat.com> *À: *"Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com *Envoyé: *Me

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud
On 11/17/2016 12:09 PM, Morgan Marodin wrote: Hello. This morning I've tried to upgrade my IPA server, but the upgrade failed, and now the service doesn't start! :( If I try lo launch the upgrade manually this is the output: /[root@mlv-ipa01 download]# ipa-server-upgrade Upgrading IPA:

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud
ample.com <mailto:dir...@example.com> service and then krb5kdc. This will at least let your users authenticate. The management framework (GUI) runs through Apache so that will be down until we can get Apache started again. rob > > Please let me know, tha

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Florence Blanc-Renaud
ssword -LLL -b krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN The cert will be stored in the field "usercertificate". HTH, Flo. Please let me know, thanks. Bye, Morgan 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <f...@redhat.co

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Florence Blanc-Renaud
On 10/11/2016 07:36 PM, Bennett, Chip wrote: I just joined this list, so if this question has been asked before (and I’ll bet it has), I apologize in advance. A google search was unrevealing, so I’m asking here: we’re running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

2016-11-29 Thread Florence Blanc-Renaud
On 11/29/2016 03:19 PM, David Dejaeghere wrote: Can you give me a couple of test commands? I am not familiar with Dogtag. Hi, To reproduce the issue: 1. install IPA server 2. On the replica, run ipa-client-install 3. On the server, stop dogtag with $ systemctl stop

Re: [Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails

2016-12-12 Thread Florence Blanc-Renaud
On 12/12/2016 10:32 PM, jay wrote: Hello, I have been testing freeipa on CentOS 7 for a while now with a relatively simple setup, just a single server and 12 or so Linux clients in AWS. I went to rebuild the environment today and part of my Ansible playbook failed with this error ipa: ERROR:

Re: [Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails

2016-12-14 Thread Florence Blanc-Renaud
/Deployment_Recommendations#Active_Directory_Integration without IPV6 enabled. Or has that always been a requirement and I just got lucky somehow. I'm looking through the docs now. Regardless, thank you very much for the help Flo! Jay On Tue, Dec 13, 2016 at 10:20 AM, Florence Blanc-Renaud <f...@redhat.

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-14 Thread Florence Blanc-Renaud
On 12/14/2016 01:08 PM, beeth beeth wrote: Thanks David. I installed both the master and replica IPA servers with third-party certificates(Verisign), but I doubt that could be the issue, because I had no problem to run the same ipa-client-install command on a RHEL7 machine(of course, the

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-15 Thread Florence Blanc-Renaud
Not After : Sat Dec 15 16:56:02 2018 If the certificate is still valid, you may want to read 389-ds How-To to make sure that SSL is properly setup: http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#deploy-the-settings Flo. On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-16 Thread Florence Blanc-Renaud
e-run ipa-client-install. Flo. On Thu, Dec 15, 2016 at 10:52 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote: On 12/14/2016 07:49 PM, beeth beeth wrote: Hi Flo, Thanks for the great hint! I reran the ipa-client-install on the rh

Re: [Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails

2016-12-13 Thread Florence Blanc-Renaud
vax.ws.rs.core.Application: class org.dogtagpki.server.ca.rest.CAApplication Next steps to debug would be to increase Tomcat logs. Flo. Thanks, Jay On Tue, Dec 13, 2016 at 1:56 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote: On 12

Re: [Freeipa-users] Switch certificates from external CA to internal

2017-01-12 Thread Florence Blanc-Renaud
On 01/12/2017 02:57 PM, Jeff Goddard wrote: I've had issues with expired certificates. In the course of troubleshooting I've somehow set the cas to external. Is there a way I can switch back? [root@id-management-1 conf]# getcert list-cas CA 'SelfSign': is-default: no ca-type:

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

2016-11-30 Thread Florence Blanc-Renaud
6-11-29 22:16 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>: On 11/29/2016 03:19 PM, David Dejaeghere wrote: Can you give me a couple of test commands? I am not familiar with Dogtag. Hi, To reproduce the issue: 1.

Re: [Freeipa-users] Server removal aborted: Deleting this server is not allowed as it would leave your installation without a CA

2016-12-05 Thread Florence Blanc-Renaud
On 12/05/2016 08:15 PM, Robert Kudyba wrote: Are there instructions to manually uninstall? I’m getting the below errors. ipa-server-install -U --uninstall ipa.ipapython.install.cli.uninstall_tool(Server): ERRORServer removal aborted: Deleting this server is not allowed as it would leave

Re: [Freeipa-users] Directory Manager Password Change

2016-12-05 Thread Florence Blanc-Renaud
On 12/05/2016 01:05 PM, Callum Guy wrote: Hi All, I have been testing FreeIPA and now plan to migrate to production use - thanks for creating such a great application! During the test phase we have been using simple passwords for the admin and directory manager users however we need these

Re: [Freeipa-users] updating certificates

2017-01-04 Thread Florence Blanc-Renaud
On 12/24/2016 01:58 AM, Josh wrote: Hi Rob, I'd like to really clarify renew certificate process. I can successfully update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but any new ipa client gets expired certificate still present someplace in LDAP. I was trying to use

Re: [Freeipa-users] Replica issue / Certificate Authority

2017-01-04 Thread Florence Blanc-Renaud
On 01/04/2017 12:41 PM, Christophe TREFOIS wrote: Hi Fraser, We encountered the same issue. We exported the certificate from a "good" replica, using certutil. We then used certutil -A -n ipaCert -d /etc/httpd/alias/ -i /opt/sysadmin/cacert.crt -a -t CT,C on the bad server and then restarted

Re: [Freeipa-users] section 2.3.6. Installing Without a CA - then how to update expired certificates in LDAP?

2017-01-02 Thread Florence Blanc-Renaud
On 12/24/2016 05:54 AM, Josh wrote: I discussed this problem once before and got partial answers but I would like to finally resolve it. Scenario: 1. Install IPA without a CA, according to section 2.3.6 as of now in latest RHEL7 Linux Domain Identity, Authentication and Policy Guide. 2.

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2017-01-02 Thread Florence Blanc-Renaud
host:636 -D "cn=directory manager" -w > *** -b "" -s base > Inline-Bild 2 You need the -x flag to indicate simple bind. rob > The logs have thousands of lines like it, what am I looking for

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2017-01-05 Thread Florence Blanc-Renaud
olved in IPA? Would be good to consolidate them into ELK for analysis. 2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>: On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote: Thanks for your reply. This was t

Re: [Freeipa-users] ipa replica installation help

2017-01-09 Thread Florence Blanc-Renaud
On 01/09/2017 01:27 PM, Ben .T.George wrote: Hi LIst, is there anyone faces/fixed this issue? Regards, BEn Hi Ben, the directory server fails to restart on the replica. Are there any specific error message in /var/log/dirsrv/slapd-$DOMAIN/errors and access log files? If you are hitting

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2017-01-04 Thread Florence Blanc-Renaud
<http://wwgwho01.webwim.com> port 636 Error netscape.ldap.LDAPException: Authentication failed (48) ... and finally: [02/Jan/2017:12:20:34][localhost-startStop-1]: CMSEngine.shutdown() 2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>:

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud
On 01/06/2017 04:47 PM, Jeff Goddard wrote: Sorry for the typo. here is the correct output: ldapsearch -h id-management-1.internal.emerlyn.com SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud
host-startStop-1]: CMSEngine.shutdown() Is there something esle I should be looking at? Jeff On Fri, Jan 6, 2017 at 11:23 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote: On 01/06/2017 04:47 PM, Jeff Goddard wrote: Sorry for the typo

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2016-12-20 Thread Florence Blanc-Renaud
On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote: Good day and happy holidays, I have been running a freeIPA instance for a few years and been very happy. Recently the certificate expired and I updated it using the documented methods. At first all seemed fine. Added a Nagios monitor for the

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-20 Thread Florence Blanc-Renaud
On 12/16/2016 03:54 PM, Florence Blanc-Renaud wrote: On 12/15/2016 08:01 PM, beeth beeth wrote: Hi Flo, That's a good point! I checked the dirsrv certificate and confirmed valid(good until later next year). Since I had no problem to enroll another new IPA client(RHEL7 box instead of RHEL6

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-22 Thread Florence Blanc-Renaud
On 12/21/2016 07:52 PM, Lucas Diedrich wrote: Hello guys, I'm having some trouble with, whats is happening with my server is that i'm hiting an old BUG (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti over irc he oriented me to send this to the email list. The problem

Re: [Freeipa-users] backing up and starting over...

2016-12-22 Thread Florence Blanc-Renaud
On 12/21/2016 10:26 PM, Robert Story wrote: I'm running a small instance of freeipa on CentOS 7 in our lab, for about 20 machines. Since CentOS 7.3 came out and upgraded from 4.2 to 4.4, things have gotten flaky. e.g. clicking on a user get the spinning 'Working' dialog and can take 3-5 minutes

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-22 Thread Florence Blanc-Renaud
2016 às 06:54, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> escreveu: On 12/21/2016 07:52 PM, Lucas Diedrich wrote: > Hello guys, > > I'm having some trouble with, whats is happening with my server is that > i'm hiting an old BUG

Re: [Freeipa-users] [Freeipa-devel] Certificate expiration consequences

2016-12-22 Thread Florence Blanc-Renaud
On 12/22/2016 12:22 PM, Pablo Hinojosa wrote: Hi all, I have realized my Freeipa webui ssl certificate is near to expire. It is supposed to auto-renew but it seems I am affected by this bug/defect (maybe due to a missconfigured installation). Here

Re: [Freeipa-users] AD-Trust Replica

2017-03-22 Thread Florence Blanc-Renaud
On 03/22/2017 09:33 AM, Wimmer Ronald (BCC.B.SO) wrote: Hi, do I have to setup the AD-trust on the Replica as well? Or is it just the master server where it has to be set up? Regards, Ronald Hi, the following chapter may help you understand the different roles for an IdM master

Re: [Freeipa-users] replica creation problems

2017-04-14 Thread Florence Blanc-Renaud
On 04/13/2017 07:50 PM, Josh wrote: Scenario: RHEL7 IPA with DNS and without CA. Initial installation was done using --http-cert-file, --dirsrv-cert-file with certificates from an issuer A. For a number of reasons replica must be created with certificates from an issuer B. A bundle consisting

Re: [Freeipa-users] bad certificate used to sign freeipa

2017-03-10 Thread Florence Blanc-Renaud
Hi, Which 'FreeIPA certificate' are you referring to? If you installed FreeIPA CA-less, then the root certificate was used to sign LDAP and HTTPd certificates and you can follow this page [1] to use a different CA and replace LDAP and HTTPd certs. If you installed IPA with an integrated CA,

Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

2017-03-07 Thread Florence Blanc-Renaud
Hi, In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate Authority, and this file may be outdated. Running ipa-certupdate may fix your issue. See [1] If it doesn't, you can start by identifying which certificate expired with $ sudo getcert list | egrep -e

Re: [Freeipa-users] Error deleting IPA host: SSL peer cannot verify your certificate

2017-04-05 Thread Florence Blanc-Renaud
On 04/05/2017 01:17 AM, Chris Herdt wrote: Although I had previously been using a self-signed certificate, I recently started using a cert signed by InCommon CA on my FreeIPA master (still on IPA 3.0.0 at this time). I added the certificate and intermediate certificates to /etc/ssl/certs and

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-26 Thread Florence Blanc-Renaud
e the logs (attached at first email). Then replica server aren't using external CA(s) like master did. So, I did the same like master, using `ipa-cacert-manage` on replica, and it's work fine. If it's normal, then thanks for clarifying this. On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: Hi

Re: [Freeipa-users] I think I lost my CA...

2017-04-27 Thread Florence Blanc-Renaud
On 04/26/2017 04:33 PM, Bret Wortman wrote: So I can see my certs using cert-find, but can't get details using cert-show or add new ones using cert-request. # ipa cert-find : -- Number of entries returned 385 -- #

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-28 Thread Florence Blanc-Renaud
On 04/28/2017 03:50 AM, Dewangga Bachrul Alam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote: On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello! Master IPA Server: - I install 1 (one) server as master (self-signed

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-25 Thread Florence Blanc-Renaud
Hi, As your email refers to self-signed and signed CA certificate, can you please clarify the exact steps that you followed? It looks like - you first installed FreeIPA with a self-signed CA - you added an external CA (did you use ipa-cacert-manage install on 1 server then ipa-certupdate on

Re: [Freeipa-users] ipa-replica-install failes on setup-ca

2017-04-25 Thread Florence Blanc-Renaud
On 04/24/2017 09:37 AM, Bjarne Blichfeldt wrote: We had problems with one idm replica complaining about different ldap database versions and at the same time errors on starting pki-tomcat. I decided to delete the ipa server and reinstall. The ipa server delete went without problems, but the

Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui

2017-05-12 Thread Florence Blanc-Renaud
On 05/12/2017 04:09 PM, Tym Rehm wrote: So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

2017-05-18 Thread Florence Blanc-Renaud
On 05/18/2017 03:49 PM, Michael Plemmons wrote: *Mike Plemmons | Senior DevOps Engineer | CROSSCHX * 614.427.2411 mike.plemm...@crosschx.com <mailto:mike.plemm...@crosschx.com> www.crosschx.com <http://www.crosschx.com/> On Thu, May 18, 2017 at 8:02 AM, Florence Bla

Re: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

2017-05-04 Thread Florence Blanc-Renaud
On 05/03/2017 05:16 PM, Chris Dagdigian wrote: Any guidance for this one? Summary - this seems to be the fatal error that causes the CA setup on the replica to fail: May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection: The specified user cn=Replication Manager

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

2017-05-18 Thread Florence Blanc-Renaud
On 05/15/2017 08:33 PM, Michael Plemmons wrote: I have done more searching in my logs and I see the following errors. This is in the localhost log file /var/lib/pki/pki-tomcat/logs May 15, 2017 3:08:08 PM org.apache.catalina.core.ApplicationContext log SEVERE: StandardWrapper.Throwable