I tried also the following commands : ### # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
# service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ### I'm checking the /var/log/pki-ca logs to see if I find something. Best regards. Bahan On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042...@gmail.com> wrote: > Sorry Martin, > > This is not the first time I forgot to add back freeipa users. > I have problems with gmail, again sorry. > > Indeed I figured out that I had to restart the ipa server. > So I tried to restart ipa server. > But it was not working yet. > > So I thought it was maybe due to the configuration I performed in the > nss.conf. > So I rollbacked this conf and restarted ipa-server. > Then I retried your commands but it is still the same error. > > ### > Request ID '20140528064145': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Unable to communicate > with CMS (Not Found)). > stuck: yes > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=<IPA SERVER HOST>,O=<MYREALM> > expires: 2016-05-28 06:41:44 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > ### > > Do you know what is the CMS ? > ### > (RPC failed at server. Certificate operation cannot be completed: Unable > to communicate with CMS (Not Found)). > ### > > Best regards. > > Bahan > > > > > > On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mba...@redhat.com> wrote: > >> did you restart IPA when you moved time? Is there are more detailed error >> description in output of getcert list? >> >> On 14.09.2016 18:45, bahan w wrote: >> >> I set the date-time when the certificates were valid : >> ### >> # date -s '2016-05-27 10:00:00' >> Fri May 27 10:00:00 CEST 2016 >> >> # date >> Fri May 27 10:00:02 CEST 2016 >> ### >> >> Then I try to renew them : >> ### >> # getcert resubmit -i 20140528063919 >> Resubmitting "20140528063919" to "IPA". >> >> # getcert resubmit -i 20140528064145 >> Resubmitting "20140528064145" to "IPA". >> >> # getcert resubmit -i 20140528063953 >> Resubmitting "20140528063953" to "IPA". >> ### >> >> But when I do the getcert list after, the result is the same. >> >> I guess it is because of this ? >> CA_UNREACHABLE >> >> Any idea ? >> >> Best regards. >> >> Bahan >> >> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: >> >>> Ok, I managed to restart the IPA service by adding this line in the file >>> /etc/httpd/conf.d/nss.conf : >>> ### >>> NSSEnforceValidCerts off >>> ### >>> >>> But when I do the getcert now I got the following result : >>> >>> ### >>> # getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20140528063903': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=CA Audit,O=<MYREALM> >>> expires: 2018-04-09 11:39:16 UTC >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063904': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=OCSP Subsystem,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063905': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=CA Subsystem,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063906': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/http >>> d/alias',nickname='ipaCert',token='NSS Certificate >>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/http >>> d/alias',nickname='ipaCert',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=IPA RA,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063907': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >>> DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >>> DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063919': >>> status: CA_UNREACHABLE >>> ca-error: Server failed request, will retry: -504 (libcurl >>> failed to execute the HTTP POST transaction. Peer certificate cannot be >>> authenticated with known CA certificates). >>> stuck: yes >>> key pair storage: type=NSSDB,location='/etc/dirs >>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirs >>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2016-05-28 06:39:18 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>> <MYREALM> >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063953': >>> status: CA_UNREACHABLE >>> ca-error: Server failed request, will retry: -504 (libcurl >>> failed to execute the HTTP POST transaction. Peer certificate cannot be >>> authenticated with known CA certificates). >>> stuck: yes >>> key pair storage: type=NSSDB,location='/etc/dirs >>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirs >>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2016-05-28 06:39:52 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>> PKI-IPA >>> track: yes >>> auto-renew: yes >>> Request ID '20140528064145': >>> status: CA_UNREACHABLE >>> ca-error: Server failed request, will retry: -504 (libcurl >>> failed to execute the HTTP POST transaction. Peer certificate cannot be >>> authenticated with known CA certificates). >>> stuck: yes >>> key pair storage: type=NSSDB,location='/etc/http >>> d/alias',nickname='Server-Cert',token='NSS Certificate >>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/http >>> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2016-05-28 06:41:44 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> ### >>> >>> Indeed, the entries outdated are the following : >>> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919 >>> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953 >>> - for httpd ? : 20140528064145 >>> >>> Best regards. >>> >>> Bahan >>> >>> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com> wrote: >>> >>>> Ok :D >>>> >>>> Because to perform the getcert list command, I need to have all the ipa >>>> services running right ? >>>> >>>> Here is the result of the command with the ipa services down. >>>> ### >>>> # getcert list >>>> Number of certificates and requests being tracked: 8. >>>> Request ID '20140528063903': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=CA Audit,O=<MYREALM> >>>> expires: 2018-04-09 11:39:16 UTC >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "auditSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063904': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=OCSP Subsystem,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-OCSPSigning >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063905': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=CA Subsystem,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "subsystemCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063906': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/etc/http >>>> d/alias',nickname='ipaCert',token='NSS Certificate >>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/http >>>> d/alias',nickname='ipaCert',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=IPA RA,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063907': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063919': >>>> status: MONITORING >>>> ca-error: Error setting up ccache for local "host" service >>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/etc/dirs >>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirs >>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2016-05-28 06:39:18 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>>> <MYREALM> >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063953': >>>> status: MONITORING >>>> ca-error: Error setting up ccache for local "host" service >>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/etc/dirs >>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirs >>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2016-05-28 06:39:52 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>>> PKI-IPA >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528064145': >>>> status: MONITORING >>>> ca-error: Error setting up ccache for local "host" service >>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/etc/http >>>> d/alias',nickname='Server-Cert',token='NSS Certificate >>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/http >>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2016-05-28 06:41:44 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> track: yes >>>> auto-renew: yes >>>> ### >>>> >>>> Best regards. >>>> >>>> Bahan >>>> >>>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mba...@redhat.com> >>>> wrote: >>>> >>>>> >>>>> Then you have to start services manually, I don't know if the same >>>>> steps will work with IPA 3.0.0, I don't remember, but you can try :) >>>>> >>>>> On 14.09.2016 18:18, bahan w wrote: >>>>> >>>>> Oh I forgot to add that my version of ipa is quite old : >>>>> ### >>>>> # rpm -qa | grep ipa-server >>>>> ipa-server-3.0.0-25.el6.x86_64 >>>>> ### >>>>> >>>>> When I try the command you gave me I got the following error : >>>>> ### >>>>> # ipactl start --force >>>>> Usage: ipactl start|stop|restart|status >>>>> >>>>> >>>>> ipactl: error: no such option: --force >>>>> ### >>>>> >>>>> Best regards. >>>>> >>>>> Bahan >>>>> >>>>> >>>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On 14.09.2016 17:59, bahan w wrote: >>>>>> >>>>>> Hello ! >>>>>> >>>>>> I send you this mail because I cannot restart my test IPA server. >>>>>> >>>>>> When I try to start it with service ipa start, I got the following >>>>>> error message : >>>>>> ### >>>>>> # service ipa start >>>>>> Starting Directory Service >>>>>> Starting dirsrv: >>>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: >>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert >>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>>>> -8181 - Peer's Certificate has expired.) >>>>>> [ OK ] >>>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: >>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert >>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>>>> -8181 - Peer's Certificate has expired.) >>>>>> [ OK ] >>>>>> Starting KDC Service >>>>>> Starting Kerberos 5 KDC: [ OK ] >>>>>> Starting KPASSWD Service >>>>>> Starting Kerberos 5 Admin Server: [ OK ] >>>>>> Starting MEMCACHE Service >>>>>> Starting ipa_memcached: [ OK ] >>>>>> Starting HTTP Service >>>>>> Starting httpd: [FAILED] >>>>>> Failed to start HTTP Service >>>>>> Shutting down >>>>>> Stopping Kerberos 5 KDC: [ OK ] >>>>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>>>> Stopping ipa_memcached: [ OK ] >>>>>> Stopping httpd: [FAILED] >>>>>> Stopping pki-ca: [ OK ] >>>>>> Shutting down dirsrv: >>>>>> <MYREALM>... [ OK ] >>>>>> PKI-IPA... [ OK ] >>>>>> Aborting ipactl >>>>>> >>>>>> # service ipa status >>>>>> Directory Service: STOPPED >>>>>> Failed to get list of services to probe status: >>>>>> Directory Server is stopped >>>>>> ### >>>>>> >>>>>> Do you know how to renew the SSL certificate used for the IPA Server ? >>>>>> >>>>>> Best regards. >>>>>> >>>>>> Bahan >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> please run >>>>>> >>>>>> # ipactl start --force >>>>>> # getcert list (to detect which certificate is outdated, I suspect DS >>>>>> cert (or to get more info why it has not been renewed)) >>>>>> >>>>>> If getcert does work (I'm not sure if ti is able to work without >>>>>> httpd), you probable need to move time back to past where cert is valid, >>>>>> start IPA and try again. >>>>>> >>>>>> Please find ID outdated certificate and try resubmit it (CA and DS >>>>>> must be running) >>>>>> >>>>>> # getcert resubmit -i 20160914122036 (use you ID :) ) >>>>>> >>>>>> This should renew cert, check status with getcert list >>>>>> >>>>>> Move time back to future (if needed) >>>>>> >>>>>> Try to restart IPA >>>>>> >>>>>> Martin^2 >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project