Hi Rob, I follow one of your suggestions in another post, it's :
"certmonger _should_ have renewed them. Try killing ntpd, going back a few
days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what
happens"
I did it, no success with messages:
- MainThread ipa DEBUG
On 25.10.2018 21.44, Rob Crittenden wrote:
> Kees Bakker wrote:
>> On 25-10-18 16:11, Rob Crittenden wrote:
>>> Kees Bakker via FreeIPA-users wrote:
On 25-10-18 14:18, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Could it be that this error already existed since we s
Kees Bakker wrote:
> On 25-10-18 16:11, Rob Crittenden wrote:
>> Kees Bakker via FreeIPA-users wrote:
>>> On 25-10-18 14:18, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
> Could it be that this error already existed since we started? Notice
> the Request ID of 2016..., an
Jeff Vincent via FreeIPA-users wrote:
> I inherited the management of our FreeIPA instance (master + 2 replicas).
> Most of our clients are running Ubuntu 14.04 or greater. It is becoming an
> issue where only cached credentials will work and any new users are unable to
> log in.
>
> So fa
Peter Tselios via FreeIPA-users wrote:
> Thanks John.
> It would be nice to create the certificate from the FreeIPA without any
> external tool though :(
A certificate has two keys, a public and a private key.
You need to generate the private key somewhere. It is best practice to
generate the k
I inherited the management of our FreeIPA instance (master + 2 replicas). Most
of our clients are running Ubuntu 14.04 or greater. It is becoming an issue
where only cached credentials will work and any new users are unable to log in.
So far in all cases, if I unconfigure freeipa ('ipa-cli
Thanks John.
It would be nice to create the certificate from the FreeIPA without any
external tool though :(
P.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahoste
I think you can do this if you upload your certificate and key to ACM in AWS,
and then use the ACM ARN for your uploaded certificate as the certificate for
the ALB.
You do need to generate the CSR separately indeed.
John
> On 25 Oct 2018, at 19:10, Peter Tselios via FreeIPA-users
> wrote:
>
Hello,
I want to create an AWS Load Balancer that will use HTTPS end to end.
I want to use my FreeIPA to generate the certificates for the instances and for
the ALB.
My questions:
1. Is it possible to issue a certificate from FreeIPA for the AWS ALB since the
later will not be a FreeIPA client
Hi Rob, thanks much.
Some of Flo's blogs about CA helps me to understand better now. Sure "ipa
cacert-manage renew" and "ipa-certupdate" was run before, hopefully not
harmful, "caSigningCert cert-pki-ca" was valid for 18 more years.
You're right, there is mix of old and renewed ones, three req
Hello,
Just want to share that is known issue to our cluster:
1 - install new replica
2 - install of the replica fails for any reason (in my case it was due to I
am unable to set the server which custodia uses in the ipa-server-istall
command line)
3 - ipa-server-install --uninstall
4 - RUVs from
On 25-10-18 16:11, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> On 25-10-18 14:18, Rob Crittenden wrote:
>>> Kees Bakker via FreeIPA-users wrote:
Could it be that this error already existed since we started? Notice
the Request ID of 2016..., and the expires: 2018-10-24.
Kees Bakker via FreeIPA-users wrote:
> On 25-10-18 14:18, Rob Crittenden wrote:
>> Kees Bakker via FreeIPA-users wrote:
>>> Could it be that this error already existed since we started? Notice
>>> the Request ID of 2016..., and the expires: 2018-10-24.
>>>
>>> # getcert list -n ipaCert | sed blabla
Dear Alexander,
You're exactly right, failure on my part to understand how the module
underneath was parsing keyword arguments (and that the attribute had to be
specifically omitted and not just a None value).
Thanks for your help, all working fine now.
Regards,
Callum
--
Callum Smith
Resear
On 25-10-18 14:18, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Could it be that this error already existed since we started? Notice
>> the Request ID of 2016..., and the expires: 2018-10-24.
>>
>> # getcert list -n ipaCert | sed blabla
>> Number of certificates and requests bein
On to, 25 loka 2018, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On ke, 24 loka 2018, Rob Crittenden via FreeIPA-users wrote:
Andrey Bychkov via FreeIPA-users wrote:
Hello, I fixed design page.
https://www.freeipa.org/page/V4/NTP_Servers_Configuration
Tibor, do you have any input on this
Z D via FreeIPA-users wrote:
> No, CA component is not running, and seems not much activity under
> /var/log/pki/pki-tomcat. Maybe these can be of interest:
>
> [1] selftests.log
> 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
> SystemCertsVerification: system certs verificatio
Kees Bakker via FreeIPA-users wrote:
> Could it be that this error already existed since we started? Notice
> the Request ID of 2016..., and the expires: 2018-10-24.
>
> # getcert list -n ipaCert | sed blabla
> Number of certificates and requests being tracked: 8.
> Request ID '20161103094546':
>
Alexander Bokovoy wrote:
> On ke, 24 loka 2018, Rob Crittenden via FreeIPA-users wrote:
>> Andrey Bychkov via FreeIPA-users wrote:
>>> Hello, I fixed design page.
>>>
>>> https://www.freeipa.org/page/V4/NTP_Servers_Configuration
>>
>> Tibor, do you have any input on this?
>>
>> As I read this it wi
Alexander Bokovoy wrote:
> On to, 25 loka 2018, Callum Smith wrote:
>> Dear Alexander,
>>
>> The issue is not with the library (it does no validation of syntax) the
>> error I have provided is verbose directly from the FreeIPA API
>> response.
>
> It seems the library puts some defaults that aren'
No, CA component is not running, and seems not much activity under
/var/log/pki/pki-tomcat. Maybe these can be of interest:
[1] selftests.log
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
SystemCertsVerification: system certs verification failure: Certificate
ocspSigningCert c
Could it be that this error already existed since we started? Notice
the Request ID of 2016..., and the expires: 2018-10-24.
# getcert list -n ipaCert | sed blabla
Number of certificates and requests being tracked: 8.
Request ID '20161103094546':
status: CA_UNREACHABLE
ca-error: Error 77 c
Hi,
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger[1813]: 2018-10-22 17:32:14 [1813] Error 77
connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem
with the SSL CA
On 10/25/18 8:11 AM, Z D via FreeIPA-users wrote:
Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and
/var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM
INITIALIZED ===
java.lang.Exception:
On to, 25 loka 2018, Callum Smith wrote:
Dear Alexander,
The issue is not with the library (it does no validation of syntax) the
error I have provided is verbose directly from the FreeIPA API
response.
It seems the library puts some defaults that aren't accepted by the
FreeIPA API, unlike a cl
Dear Alexander,
The issue is not with the library (it does no validation of syntax) the error I
have provided is verbose directly from the FreeIPA API response.
How would you suggest I re-factor this code so that the error is acceptable?
Regards,
Callum
--
Callum Smith
Research Computing Core
26 matches
Mail list logo
