Thanks Thierry,
IPA backup had failed much before, unfortunate not able to restore those logs.
But I did some progress, by trying to restore different daily backups. And I
found one, that was restored "successfully", and 389ds has started after that.
But new problem is that replica from another
Hi there, this is ipa-server-4.4.0-12.0.1 with 389-ds-base-1.3.5.10-11 and
suddenly daily backup has started to fail with messages:
2019-01-28T04:10:04Z INFO Backing up ipaca in REALM-COM to LDIF
2019-01-28T04:10:04Z INFO Waiting for LDIF to finish
2019-01-28T04:10:05Z DEBUG File
"/usr/lib/py
> Hi, have you found resolution here?
>
> I get same/similar error while troubleshooting expired certificates, for
> example going
> back in time when all certs are valid and restarting certmonger, then I see
> this error.
sorry, please ignore. Apologies.
_
Hi, have you found resolution here?
I get same/similar error while troubleshooting expired certificates, for
example going back in time when all certs are valid and restarting certmonger,
then I see this error.
___
FreeIPA-users mailing list -- freei
Hi Rob,
when certmonger fails to renew a cert, and PKI is running, it fails and
dogtag-ipa-ca-renew-agent-submit shows the message :
ACIError: Insufficient access: Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal
error
I hope to troubleshoo
> There is a way to disable the selftest but this is a sort of last resort.
Hi Rob, I am afraid disabling SelfTest is maybe the way to resolve the issue.
Are there any documentation on this, IPA 4.4.0 and pki-server 10.3.3
___
FreeIPA-users mailing list
Forgot to add versions:
ipa-server is 4.4.0 and pki-server is 10.3.3
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedor
Hi there, still working on cert renewal with little bit of progress, hence
asking kindly for more support until final resolution. As per the subject,
certmonger renews two out of four certificates.
[1] stop ntpd, go back in time (Aug 10 2018), where all certs are valid
[2] restart krb5kdc, 389
Once again, I am back in time when all certs are valid. , for example :
# date
Fri Aug 3 01:47:18 PDT 2018
Yet, CA cannot start and /var/log/pki/pki-tomcat/ca/selftests.log reads:
0.localhost-startStop-2 - [03/Aug/2018:01:03:17 PDT] [20] [1] CAPresence: CA
is present
0.localhost-startStop-2
I've also reset nss trust flag, as per
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/
and still getting " Insufficient access: Invalid credentials", from the
previous post.
___
FreeIPA-u
Hi Fraser, I am making some progress. Let's please continue.
[1]
I was able to follow your info and find common date in past for all certs to be
valid.
Note, in case this is important, I have four IPA servers and I do this on CA
renewal master.
[2]
Then system clock was set to past time (a
Thank you Fraser for the support.
'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no problem
here.
But I am afraid I can't find common date for remaining four certs. As per
bellow data:
[1] There is common date for auditSigningCert, subsystemCert and Server-Cert
[2] There
The /var/lib/pki/pki-tomcat/logs/ca/selftests.log reads:
0.localhost-startStop-2 - [06/Nov/2018:15:55:02 PST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-2 - [06/Nov/2018:15:55:02 PST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parame
Hi, this is the part of troubleshooting expired certificates (it's in another
post). I can't successfully renew certs after going back in time and I believe
the reason is that CA is not starting. Some of posts and Bugzilla bugs suggest
using PKI basic authentication, that I try without success,
Hi Rob, any idea why going back in time prevents named running. It looks it's
active but with errors. The returning to the present, service doesn't have any
errors.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe s
> This doesn't . You are forcefull going back in time. As long as it
> doesn't prevent named from starting and at least limping along then it
> isn't worth pursuing until the certs are renewed.
I can confirm that going back in time prevents named running. It looks it's
active but with errors. Th
From what I experience, during " killing ntpd, going back a few days, restart
krb5kdc, dirsrv, httpd and the CA then certmonger", service
ipa-dnskeysyncd.service is failing.
Aug 10 10:19:18 ca-ldap04 ipa-dnskeysyncd: ipa : DEBUGKerberos
principal: ipa-dnskeysyncd/ca-ldap04.domain.
Rob, what kind of response means success, one server return 404 ?
> GET /ca/agent/ca/profileReview HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ca-ldap01:8443
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Conten
Hi Rob, it won't work on 4.4.0 for now.
# python2 /tmp/checkcerts/ipa-checkcerts.py
Traceback (most recent call last):
File "/tmp/checkcerts/ipa-checkcerts.py", line 21, in
from ipalib.install import certstore
ImportError: No module named install
I guess it's not appropriate to use this th
19 matches
Mail list logo
