On Thu, Jul 13, 2017 at 10:57:59AM +1000, Fraser Tweedale wrote:
> On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> > Hello,
> >
> > I'm getting desperate, I'm still unable to fix my expired certificates on
> > my freeIPA master.
> >
> > Summary:
> >
> >- I d
Yes. Yikes. Karl, I already replied to your earlier thread, but
`ipa-cacert-renew` was not the right command to run.
On Wed, Jul 12, 2017 at 09:38:44AM +, Callum Guy via FreeIPA-users wrote:
> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the CA
On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> Hello,
>
> I'm getting desperate, I'm still unable to fix my expired certificates on
> my freeIPA master.
>
> Summary:
>
>- I discovered that my web ui SSL certificate had expired.
>- the certificate live
On Wed, Jul 12, 2017 at 01:20:36PM -0400, Mark Haney via FreeIPA-users wrote:
> I'm really new to FreeIPA, and this is probably a stupid question, but I
> just setup a replica of the primary (not in production) IPA server we have.
> However, the replica's SSL cert is untrusted, while the primary IP
How are you issuing the certs for the clients? Are they signed by the same
certificate chain that signed the IPA certificate? Did you install the CA
certificate chain as trusted CA on the clients?
On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users <
freeipa-users@lists.fedorahosted.o
On 13 July 2017 at 00:48, bogusmaster--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> > On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via
> FreeIPA-users wrote:
>
> I have verified that hint. I've stopped sssd daemon, cleared the cache and
> started it back again.
The list was migrated to Fedora Hosted. (note the footer on messages and how
the posting address is @fedorahosted.org)
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
- Original Message -
From: "John Morris via FreeIPA-users"
To: "FreeIPA users list"
Seems the mailing list archives stopped working in mid-May:
https://www.redhat.com/archives/freeipa-users/
John
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fed
Is it possible to use certmonger to request a cert from a FreeIPA
sub-CA? What is the `ipa-getcert request` command-line usage for that?
The certmonger man-pages seem to indicate the `ipa-getcert request -X
ISSUER` argument. However I've been unable to find usage examples, and
using neither
I'm really new to FreeIPA, and this is probably a stupid question, but I
just setup a replica of the primary (not in production) IPA server we
have. However, the replica's SSL cert is untrusted, while the primary
IPA server's cert is fine. The docs I read said the SSL certs would be
carried o
We are in the process of switching to using an external CA. We have
successfully gone through he process and indeed the Web UI now shows the
expected certificate chain.
However when we issue certificates to our clients downstream they are using
a signing certificate that was not issued by the new
Hello,
I'm getting desperate, I'm still unable to fix my expired certificates on
my freeIPA master.
Summary:
- I discovered that my web ui SSL certificate had expired.
- the certificate lives in /etc/httpd/alias, is named Server-Cert
- for some reason, it is not tracked by ipa-getc
> On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users
> wrote:
>
>
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
>
> While on the client during authentication the user data is re
I think the problem is that the web UI certificate is not tracked by
Certmonger.
I compared with my replica server which seems alright:
master server (with expired certificate):
# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20150826135329':
status: MONITO
What was the IPA version you used? It might be not related, but when i upgraded
sssd to 1.15.2-5 ssh doesn't work for me neither on the FreeIPA server, nor on
the clients. What's more strange, getent passwd for AD users doesn't work for
the clients, although it works for the server.
Hello,
Today I realized that the https certificate for my freeipa web ui has
expired.
I tried to renew it using:
#ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
So it seemed to went well. I tried to r
On Wed, Jul 12, 2017 at 11:38 AM, Callum Guy wrote:
> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the CA certificate which presumably would invalidate all
> existing certificates it has authorised.
>
I guess you are right. It rather seems that the
Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
you have renewed the CA certificate which presumably would invalidate all
existing certificates it has authorised.
>From your description it sounded like you just wanted the CA to issue a new
certificate for your IPA UI, thi
The problem is that the SSL certificate was not renewed by the
"ipa-cacert-manage renew" command.
So the http server refuses to start.
Hence my question: what is the correct way to renew the SSL certificate ??
Thanks.
___
FreeIPA-users mailing list --
Hi Patrick,
Firstly lets look at the sudo issue - I think you just need to add a second
sudo option to block the requirement for TTY:
Rule name: full_control
Description: Allow full command access on all hosts
Enabled: TRUE
Host category: all
Command category: all
RunAs User category:
20 matches
Mail list logo
