Rob, I'd love to test your tool, as part of working on my problem "ipa.service
fails to start", but I still run 4.4.0-12.0.1.el7.x86_64, hence do you think
this is the obstacle?
Again, as part of "ipa.service fails to start" work, I was hoping to add new
IPA server 4.5.4, but ipa-replica-prepa
Hi Kees, I've been also looking to Rob's blog as part of working on my problem
("ipa.service "fails" to start").
In my case, when running the curl command (with -v), I do see
* About to connect() to ca-ldap03 port 8443 (#0)
* Trying x.x.x..x ...
* Connected to ca-ldap03 port 8443 (#0)
* Initia
Hi Flo and Rob, additional update.
There is discrepancy in some of cert's expire time among 4 servers, I thought
maybe another server can be candidate to be new renewal master.
The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well,
hence "ipa config-show" on all 4 servers
Agree Flo, making sure that I am in the past, unfortunately still not
resolution.
[root@ca-ldap01 ~]# systemctl restart krb5kdc
[root@ca-ldap01 ~]# systemctl restart dirsrv@DOMAIN-COM.service
[root@ca-ldap01 ~]# systemctl restart httpd
[root@ca-ldap01 ~]# systemctl restart pki-tomcatd@pki-tomcat
Hi Rob, I follow one of your suggestions in another post, it's :
"certmonger _should_ have renewed them. Try killing ntpd, going back a few
days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what
happens"
I did it, no success with messages:
- MainThread ipa DEBUG
Hi Rob, thanks much.
Some of Flo's blogs about CA helps me to understand better now. Sure "ipa
cacert-manage renew" and "ipa-certupdate" was run before, hopefully not
harmful, "caSigningCert cert-pki-ca" was valid for 18 more years.
You're right, there is mix of old and renewed ones, three req
No, CA component is not running, and seems not much activity under
/var/log/pki/pki-tomcat. Maybe these can be of interest:
[1] selftests.log
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
SystemCertsVerification: system certs verification failure: Certificate
ocspSigningCert c
Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and
/var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM
INITIALIZED ===
java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid:
Hi there,
This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.
After reboot I couldn't start ipa service via systemctl, hence I run "ipactl
start --ignore-service-failures" and this was kind of successful. I still have
some discrepancies, and looking for troubleshooting ideas.
1."s
This is resolved by updating sudo package.
---> Package sudo.x86_64 0:1.8.6p7-11.el7 will be updated
---> Package sudo.x86_64 0:1.8.19p2-10.el7 will be an update
From: Pavel Březina
Sent: Thursday, August 31, 2017 1:48:33 AM
To: Jakub Hrozek; Z D
Cc: FreeIPA us
-users@lists.fedorahosted.org
Cc: Jakub Hrozek
Subject: [Freeipa-users] Re: sudo policy doesn't work since host is installed
with CNAME
On Wed, Aug 30, 2017 at 07:21:11PM +0000, Z D via FreeIPA-users wrote:
> Hi there,
>
> we're using ipa-server-4.4.0 (without its own DNS) and ar
Hi there,
we're using ipa-server-4.4.0 (without its own DNS) and are facing the situation
with A/CNAME host.
Basically a host is installed with CNAME as the OS, and IPA is aware of only A
record since host is joined to IPA domain with its A record. The A record is
member of proper host group a
12 matches
Mail list logo
