[Freeipa-devel] Re: [Freeipa-users] Re: Renewing /etc/httpd/alias certs
On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote: > Petr Vobornik via FreeIPA-devel wrote: > > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale wrote: > >> Hi devs, > >> > >> This is at least the second time recently that people needing to > >> renew service certificates used ``ipa-cacert-manage renew`` (the > >> wrong command) and either didn't solve the problem or got into a > >> deeper mess. > >> > >> Clearly we have a usability problem here. > >> > >> The ipa-cacert-manage(1) man page is clear, but perhaps could use a > >> prominent statement that it doesn't renew service certs and if > >> that's all the user needs to do, to use `getcert resubmit` instead. > > > > Right, I think that a lot of people don't understand certificates well > > and so they don't distinguish CA cert and other cert. So when they see > > a howto for "CA certificate renewal" they understand "certificate > > renewal". > > > > From that perspective another possible culprit is also page: > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > > >> > >> But I think better would be to enhance `ipa-cacert-manage renew` to > >> inspect the current CA certificate and if it has, say, more than 75% > >> of its validity period still to go, to PROMPT the user to confirm > >> that renewing the *CA* certificate is really what they wanted to do. > >> > >> What do others think of this idea? > > > > I like the idea. > > Honestly, I'd be even harsher. IMHO this is one of those times that > requires: > > Are you sure? (yes/NO) > > Are you really sure? (yes/NO) > > Really, you want to renew the CA certificate and not some other > certificate? This is not something to be done lightly? (yes/NO) > > > > rob > OK, I've filed tickets: - https://pagure.io/freeipa/issue/7084 (update command with prompts) - https://pagure.io/freeipa/issue/7085 (manpage) Thanks, Fraser ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#955][opened] host_port_open: revert to old behavior where one iface is sufficient
URL: https://github.com/freeipa/freeipa/pull/955
Author: pvoborni
Title: #955: host_port_open: revert to old behavior where one iface is
sufficient
Action: opened
PR body:
"""
Commit a24cd01304aaef77b66d0e178585c9ec8bbce9b5
Changed behavior of host_port_open to require all discovered interfaces to
listed on the port.
But usage of host_port_open function in wait_for_open_ports function which is
indirectly used from service.start might be still ok with only one interface.
Requiring all interfaces might then cause issue(waiting till timeout) in IPA
upgrader in specific DNS
or network setups.
https://pagure.io/freeipa/issue/7083
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/955/head:pr955
git checkout pr955
From f5a11c38d26a01a4e15bf61f2094a78de5a5561c Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Wed, 2 Aug 2017 17:52:58 +0200
Subject: [PATCH] host_port_open: revert to old behavior where one iface is
sufficient
Commit https://pagure.io/freeipa/c/a24cd01304aaef77b66d0e178585c9ec8bbce9b5
Changed behavior of host_port_open to require all discovered interfaces to
listed on the port.
But usage of host_port_open function in wait_for_open_ports function which is
indirectly used from service.start might be still ok with only one interface.
Requiring all interfaces might then cause issue in IPA upgrader in specific DNS
or network setups.
https://pagure.io/freeipa/issue/7083
---
install/tools/ipa-replica-conncheck | 3 ++-
ipapython/ipautil.py| 13 -
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 9b92de3f66..3835548e98 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -382,7 +382,8 @@ def port_check(host, port_list):
try:
port_open = ipautil.host_port_open(
host, port.port, port.port_type,
-socket_timeout=CONNECT_TIMEOUT, log_errors=True)
+socket_timeout=CONNECT_TIMEOUT, log_errors=True,
+check_all_ifaces=True)
except socket.gaierror:
raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
if port_open:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 1bb48d4fc2..6e61cad66b 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -959,14 +959,16 @@ def user_input(prompt, default = None, allow_empty = True):
def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
- socket_timeout=None, log_errors=False):
+ socket_timeout=None, log_errors=False,
+ check_all_ifaces=False):
"""
host: either hostname or IP address;
if hostname is provided, port MUST be open on ALL resolved IPs
returns True is port is open, False otherwise
"""
-port_open = True
+all_open = True
+some_open = False
# port has to be open on ALL resolved IPs
for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):
@@ -983,9 +985,10 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
if socket_type == socket.SOCK_DGRAM:
s.send('')
s.recv(512)
-except socket.error:
-port_open = False
+some_open = True
+except socket.error:
+all_open = False
if log_errors:
msg = ('Failed to connect to port %(port)d %(proto)s on '
'%(addr)s' % dict(port=port,
@@ -1002,7 +1005,7 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
if s is not None:
s.close()
-return port_open
+return all_open if check_all_ifaces else some_open
def reverse_record_exists(ip_address):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA Pull-Request CI is live!
On 07/31/2017 12:31 PM, Tomas Krizek via FreeIPA-devel wrote: > We're currently working on resolving some pressing issues. Once the most > urgent ones are addressed and the system is more stable and usable, you > can expect a demo for contributors, describing the work-flow, logs etc. Hi, we were able to address the initial issues we ran into and the PR CI seems to be running smoothly for the time being. We've also created a demo video [1] for upstream contributors. It describes the PR CI work-flow and demonstrates how to debug some common issues. [1] - https://vimeo.com/228077191 -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#952][closed] tasks: remove str on bytes
URL: https://github.com/freeipa/freeipa/pull/952 Author: stlaz Title: #952: tasks: remove str on bytes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/952/head:pr952 git checkout pr952 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#941][closed] Enable replica installation on DL0
URL: https://github.com/freeipa/freeipa/pull/941 Author: stlaz Title: #941: Enable replica installation on DL0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/941/head:pr941 git checkout pr941 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#938][closed] client: make ipa-client-install py3 compatible
URL: https://github.com/freeipa/freeipa/pull/938 Author: stlaz Title: #938: client: make ipa-client-install py3 compatible Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/938/head:pr938 git checkout pr938 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#954][opened] py3 conncheck + service plugin fixes
URL: https://github.com/freeipa/freeipa/pull/954
Author: stlaz
Title: #954: py3 conncheck + service plugin fixes
Action: opened
PR body:
"""
commit 09942d0268f02ed15df5f7f3aad3220196c5a41c (HEAD -> py3-conncheck,
private/py3-conncheck)
Author: Stanislav Laznicka
Date: Wed Aug 2 16:05:16 2017 +0200
conncheck: fix progression on failure
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.
https://pagure.io/freeipa/issue/4985
commit fe820cbc1f3469150ab90af401b119d5d316f3ab
Author: Stanislav Laznicka
Date: Wed Aug 2 15:59:39 2017 +0200
kerberos: fix sorting Principal objects
When service-find was issued under Python 3, the command fails
because it tried to sort a list of Principal objects which was not
possible.
https://pagure.io/freeipa/issue/4985
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/954/head:pr954
git checkout pr954
From fe820cbc1f3469150ab90af401b119d5d316f3ab Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 2 Aug 2017 15:59:39 +0200
Subject: [PATCH 1/2] kerberos: fix sorting Principal objects
When service-find was issued under Python 3, the command fails
because it tried to sort a list of Principal objects which was not
possible.
https://pagure.io/freeipa/issue/4985
---
ipapython/kerberos.py | 12
1 file changed, 12 insertions(+)
diff --git a/ipapython/kerberos.py b/ipapython/kerberos.py
index 9b02790bed..21f81de207 100644
--- a/ipapython/kerberos.py
+++ b/ipapython/kerberos.py
@@ -93,6 +93,18 @@ def __eq__(self, other):
def __ne__(self, other):
return not self.__eq__(other)
+def __lt__(self, other):
+return unicode(self) < unicode(other)
+
+def __le__(self, other):
+return self.__lt__(other) or self.__eq__(other)
+
+def __gt__(self, other):
+return not self.__le__(other)
+
+def __ge__(self, other):
+return self.__gt__(other) or self.__eq__(other)
+
def __hash__(self):
return hash(self.components + (self.realm,))
From 09942d0268f02ed15df5f7f3aad3220196c5a41c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 2 Aug 2017 16:05:16 +0200
Subject: [PATCH 2/2] conncheck: fix progression on failure
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.
https://pagure.io/freeipa/issue/4985
---
install/tools/ipa-replica-conncheck | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 15e45e0a2f..b8a5dc8d24 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -348,7 +348,7 @@ class PortResponder(threading.Thread):
logger.debug('%d %s: Started listening', port, proto)
except socket.error as e:
logger.warning('%d %s: Failed to bind', port, proto)
-logger.debug("%s", traceback.format_exc(e))
+logger.debug("%s", traceback.format_exc())
else:
self._sockets.append(sock)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: [Freeipa-users] Re: Renewing /etc/httpd/alias certs
Petr Vobornik via FreeIPA-devel wrote: > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale wrote: >> Hi devs, >> >> This is at least the second time recently that people needing to >> renew service certificates used ``ipa-cacert-manage renew`` (the >> wrong command) and either didn't solve the problem or got into a >> deeper mess. >> >> Clearly we have a usability problem here. >> >> The ipa-cacert-manage(1) man page is clear, but perhaps could use a >> prominent statement that it doesn't renew service certs and if >> that's all the user needs to do, to use `getcert resubmit` instead. > > Right, I think that a lot of people don't understand certificates well > and so they don't distinguish CA cert and other cert. So when they see > a howto for "CA certificate renewal" they understand "certificate > renewal". > > From that perspective another possible culprit is also page: > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > >> >> But I think better would be to enhance `ipa-cacert-manage renew` to >> inspect the current CA certificate and if it has, say, more than 75% >> of its validity period still to go, to PROMPT the user to confirm >> that renewing the *CA* certificate is really what they wanted to do. >> >> What do others think of this idea? > > I like the idea. Honestly, I'd be even harsher. IMHO this is one of those times that requires: Are you sure? (yes/NO) Are you really sure? (yes/NO) Really, you want to renew the CA certificate and not some other certificate? This is not something to be done lightly? (yes/NO) rob > > >> >> Cheers, >> Fraser >> >> On Tue, Aug 01, 2017 at 05:22:53PM +0200, Florence Blanc-Renaud via >> FreeIPA-users wrote: >>> On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote: Hello everyone, I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a series of unfortunate events which resulted in the entire cluster being offline for a matter of a couple weeks during which the certificate in /etc/httpd/alias expired. I rolled back the clocks on all of the servers in the cluster and started them successfully, however, the certificates in /etc/httpd/alias did not get renewed. Is there a process that automatically handles this or was I supposed to be maintaining that? Additionally, based on: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal ...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger renewals across the boards, but now it appears that only the CA was updated as none of the server certificates were re-issued and are now all untrusted (I can't do "kinit admin" any longer as my realm is now down). Is there any chance of rolling that back or issuing new certs to get things going again? >>> Hi, >>> >>> ipa-cacert-manage will only renew IPA CA certificate, not the LDAP or HTTP >>> server certificates. >>> When IPA is using an embedded CA, the LDAP and HTTP server certificates >>> should be automatically renewed thanks to certmonger. If the automatic >>> renewal did not happen, you can check: >>> - if the certificates are indeed tracked by certmonger >>> sudo getcert list -n Server-Cert >>> The tool should output one cert for HTTP (in /etc/httpd/alias) and one for >>> LDAP (in /etc/dirsrv/slapd-DOM...). If the certs are not tracked, you need >>> to use getcert start-tracking to track them. >>> - if they are tracked but not renewed, check the journal for certmonger >>> messages. Certmonger should log a message when a certificate is nearing its >>> expiration, and another message when the renewal succeeded. >>> >>> When the certificates are expired, the method is to stop ntpd, go back in >>> time to a date where the certs were still valid, then manually trigger the >>> renewal using getcert resubmit -i . In case of errors, examine the >>> journal logs and try to fix the issue, then relaunch getcert resubmit. Once >>> the renewal succeeds, getcert list shows the cert status as MONITORING and >>> you can restart ntpd. >>> >>> This blog [1] provides a few examples of issues and their resolution >>> >>> HTH, >>> Flo >>> >>> [1] >>> https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ >>> If I have to start over, that is certainly an option. I'm just trying to get a better understanding of what I should have been doing to avoid this situation in the first place. Thanks, j ___ FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> ___ >>> FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > >
[Freeipa-devel] [freeipa PR#953][opened] [master] WebUI: Turn on pagination on certificate page
URL: https://github.com/freeipa/freeipa/pull/953
Author: pvomacka
Title: #953: [master] WebUI: Turn on pagination on certificate page
Action: opened
PR body:
"""
Almost all other search tables use pagination. Only this one does not.
This change makes WebUI more consistent.
https://pagure.io/freeipa/issue/6079
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/953/head:pr953
git checkout pr953
From 39bc12c3aee2e48d310aa10ba85c2fc0e35d3aa3 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Tue, 25 Jul 2017 16:49:36 +0200
Subject: [PATCH] WebUI: Turn on pagination on certificate page
Almost all other search tables use pagination. Only this one does not.
This change makes WebUI more consistent.
https://pagure.io/freeipa/issue/6079
---
install/ui/src/freeipa/certificate.js | 6 +-
install/ui/src/freeipa/facet.js | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index 0cb43c718f..2168505ed4 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -1647,7 +1647,11 @@ return {
facet_groups: [exp.facet_group],
facet_group: 'certificates',
additional_navigation_arguments: [ 'cacn' ],
-pagination: false,
+command_options: { all: true },
+dont_call_show_method: true,
+search_all_entries: true,
+sort_enabled: false,
+show_values_with_dup_key: true,
no_update: true,
columns: [
{
diff --git a/install/ui/src/freeipa/facet.js b/install/ui/src/freeipa/facet.js
index 2bf5b96289..16bc0bd365 100644
--- a/install/ui/src/freeipa/facet.js
+++ b/install/ui/src/freeipa/facet.js
@@ -2180,7 +2180,7 @@ exp.table_facet = IPA.table_facet = function(spec, no_init) {
return;
}
-if (that.search_all_entries) {
+if (that.search_all_entries && !that.pagination) {
// map contains the primary keys and the complete records
that.load_records(records_map.values);
return;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [DESIGN DRAFT] IPA client installation with Ansible
Hi all, The first version of a new design document is available at https://www.freeipa.org/page/V4/ClientInstallationWithAnsible The feature will allow to deploy IPA clients using Ansible. Please feel free to send your comments, suggestions or concerns. Thanks, Flo ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#952][opened] tasks: remove str on bytes
URL: https://github.com/freeipa/freeipa/pull/952
Author: stlaz
Title: #952: tasks: remove str on bytes
Action: opened
PR body:
"""
This enables ipa-certupdate to be run in Python 3
https://pagure.io/freeipa/issue/4985
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/952/head:pr952
git checkout pr952
From 34e57884fa8d8c2973b6574041941ba4a9b7418e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 2 Aug 2017 10:34:56 +0200
Subject: [PATCH] tasks: remove str on bytes
This enables ipa-certupdate to be run in Python 3
https://pagure.io/freeipa/issue/4985
---
ipaplatform/redhat/tasks.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index cc52c6c5f0..a4329656cb 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -298,7 +298,8 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
obj += "trusted: true\n"
elif trusted is False:
obj += "x-distrusted: true\n"
-obj += "{pem}\n\n".format(pem=cert.public_bytes(x509.Encoding.PEM))
+obj += "{pem}\n\n".format(
+pem=cert.public_bytes(x509.Encoding.PEM).encode('ascii'))
f.write(obj)
if ext_key_usage is not None and public_key_info not in has_eku:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: [Freeipa-users] Re: Renewing /etc/httpd/alias certs
On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale wrote: > Hi devs, > > This is at least the second time recently that people needing to > renew service certificates used ``ipa-cacert-manage renew`` (the > wrong command) and either didn't solve the problem or got into a > deeper mess. > > Clearly we have a usability problem here. > > The ipa-cacert-manage(1) man page is clear, but perhaps could use a > prominent statement that it doesn't renew service certs and if > that's all the user needs to do, to use `getcert resubmit` instead. Right, I think that a lot of people don't understand certificates well and so they don't distinguish CA cert and other cert. So when they see a howto for "CA certificate renewal" they understand "certificate renewal". From that perspective another possible culprit is also page: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > But I think better would be to enhance `ipa-cacert-manage renew` to > inspect the current CA certificate and if it has, say, more than 75% > of its validity period still to go, to PROMPT the user to confirm > that renewing the *CA* certificate is really what they wanted to do. > > What do others think of this idea? I like the idea. > > Cheers, > Fraser > > On Tue, Aug 01, 2017 at 05:22:53PM +0200, Florence Blanc-Renaud via > FreeIPA-users wrote: >> On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote: >> > Hello everyone, >> > >> > I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a >> > series of unfortunate events which resulted in the entire cluster being >> > offline for a matter of a couple weeks during which the certificate in >> > /etc/httpd/alias expired. I rolled back the clocks on all of the servers >> > in the cluster and started them successfully, however, the certificates in >> > /etc/httpd/alias did not get renewed. Is there a process that >> > automatically handles this or was I supposed to be maintaining that? >> > >> > Additionally, based on: >> > >> > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >> > >> > ...I ran "ipa-cacert-manage renew" on my CA in a hope that that would >> > trigger renewals across the boards, but now it appears that only the CA >> > was updated as none of the server certificates were re-issued and are now >> > all untrusted (I can't do "kinit admin" any longer as my realm is now >> > down). Is there any chance of rolling that back or issuing new certs to >> > get things going again? >> > >> Hi, >> >> ipa-cacert-manage will only renew IPA CA certificate, not the LDAP or HTTP >> server certificates. >> When IPA is using an embedded CA, the LDAP and HTTP server certificates >> should be automatically renewed thanks to certmonger. If the automatic >> renewal did not happen, you can check: >> - if the certificates are indeed tracked by certmonger >> sudo getcert list -n Server-Cert >> The tool should output one cert for HTTP (in /etc/httpd/alias) and one for >> LDAP (in /etc/dirsrv/slapd-DOM...). If the certs are not tracked, you need >> to use getcert start-tracking to track them. >> - if they are tracked but not renewed, check the journal for certmonger >> messages. Certmonger should log a message when a certificate is nearing its >> expiration, and another message when the renewal succeeded. >> >> When the certificates are expired, the method is to stop ntpd, go back in >> time to a date where the certs were still valid, then manually trigger the >> renewal using getcert resubmit -i . In case of errors, examine the >> journal logs and try to fix the issue, then relaunch getcert resubmit. Once >> the renewal succeeds, getcert list shows the cert status as MONITORING and >> you can restart ntpd. >> >> This blog [1] provides a few examples of issues and their resolution >> >> HTH, >> Flo >> >> [1] >> https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ >> >> > If I have to start over, that is certainly an option. I'm just trying to >> > get a better understanding of what I should have been doing to avoid this >> > situation in the first place. >> > >> > Thanks, >> > >> > j >> > ___ >> > FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org >> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> > >> ___ >> FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#951][opened] server plugin: pass bytes to ldap.modify_s
URL: https://github.com/freeipa/freeipa/pull/951
Author: stlaz
Title: #951: server plugin: pass bytes to ldap.modify_s
Action: opened
PR body:
"""
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.
https://pagure.io/freeipa/issue/4985
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/951/head:pr951
git checkout pr951
From 25514d945951c6e7c98564d86a3c0887be9347f0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 2 Aug 2017 09:47:47 +0200
Subject: [PATCH] server plugin: pass bytes to ldap.modify_s
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.
https://pagure.io/freeipa/issue/4985
---
ipaserver/plugins/server.py | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index e21c47199f..0a59d67195 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -558,19 +558,19 @@ def _remove_server_principal_references(self, master):
conn = self.Backend.ldap2
env = self.api.env
-master_principal = "{}@{}".format(master, env.realm)
+master_principal = "{}@{}".format(master, env.realm).encode('utf-8')
# remove replica memberPrincipal from s4u2proxy configuration
s4u2proxy_subtree = DN(env.container_s4u2proxy,
env.basedn)
dn1 = DN(('cn', 'ipa-http-delegation'), s4u2proxy_subtree)
-member_principal1 = "HTTP/{}".format(master_principal)
+member_principal1 = b"HTTP/%b" % master_principal
dn2 = DN(('cn', 'ipa-ldap-delegation-targets'), s4u2proxy_subtree)
-member_principal2 = "ldap/{}".format(master_principal)
+member_principal2 = b"ldap/%b" % master_principal
dn3 = DN(('cn', 'ipa-cifs-delegation-targets'), s4u2proxy_subtree)
-member_principal3 = "cifs/{}".format(master_principal)
+member_principal3 = b"cifs/%b" % master_principal
for (dn, member_principal) in ((dn1, member_principal1),
(dn2, member_principal2),
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
