[Freeipa-users] What is transient error?
https://pagure.io/389-ds-base/pull-request/50072 says: "Transient errors are temporary conditions that usually resolve themselves." What are actually that errors are? We have some amount of them spreading somtimes. What causes them and what they actually affect or may affect in future? Can I ignore them in my automated checks at all? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: SOA generation algorythm
Thanks a lot! On Wed, May 29, 2019 at 4:06 PM Andrey Bondarenko wrote: > T > > On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy > wrote: > >> On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote: >> >Hello, >> > >> >Is the SOA generation algorithm for zones documented anywhere or anyone >> by >> >chance knows what it is? >> > >> >We have cluster of 8 nodes and SOA is different on some IPAs in some >> zones >> >(with huge amount of changes). But if I make a change I actually see it >> on >> >different IPA. >> > >> >Also, restarting IPA increases SOA by 1. >> > >> >We wanted to relay on SOA on our DNS consistency check but seems like >> it's >> >not a working idea, or is it? >> If you are not using slave DNS masters on separate servers, then each >> IPA master with DNS becomes own authoritative master and has own >> (so-called 'locally significant') SOA value. This is default in IPA DNS >> deployment. >> >> From bind-dyndb-ldap's README.md: >> >> * idnsSOAserial >> >> SOA serial number. It is automatically incremented after each >> change >> in LDAP. External changes done by other LDAP clients are detected >> via >> RFC 4533 (so-called syncrepl). >> >> If serial number is lower than current UNIX timestamp, then >> it is set to the timestamp value. If SOA serial is greater or >> equal >> to current timestamp, then the serial is incremented by one. >> (This is equivalent to BIND option 'serial-update-method unix'.) >> >> In multi-master LDAP environments it is recommended to make >> idnsSOAserial attribute non-replicated (locally significant). >> It is recommended not to use multiple masters for single slave >> zone >> if SOA serial is locally significant because serial numbers >> between >> masters aren't synchronized. It will cause problems with zone >> transfers from multiple masters to single slave. >> >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> > > > -- > > > With best regards, > Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com > skype:andrey.bondarenko > phone, Telegram, WhatsApp, etc:+420-773-591-443 > > > 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B > > > > > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: SOA generation algorythm
T On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy wrote: > On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote: > >Hello, > > > >Is the SOA generation algorithm for zones documented anywhere or anyone by > >chance knows what it is? > > > >We have cluster of 8 nodes and SOA is different on some IPAs in some zones > >(with huge amount of changes). But if I make a change I actually see it on > >different IPA. > > > >Also, restarting IPA increases SOA by 1. > > > >We wanted to relay on SOA on our DNS consistency check but seems like it's > >not a working idea, or is it? > If you are not using slave DNS masters on separate servers, then each > IPA master with DNS becomes own authoritative master and has own > (so-called 'locally significant') SOA value. This is default in IPA DNS > deployment. > > From bind-dyndb-ldap's README.md: > > * idnsSOAserial > > SOA serial number. It is automatically incremented after each > change > in LDAP. External changes done by other LDAP clients are detected > via > RFC 4533 (so-called syncrepl). > > If serial number is lower than current UNIX timestamp, then > it is set to the timestamp value. If SOA serial is greater or equal > to current timestamp, then the serial is incremented by one. > (This is equivalent to BIND option 'serial-update-method unix'.) > > In multi-master LDAP environments it is recommended to make > idnsSOAserial attribute non-replicated (locally significant). > It is recommended not to use multiple masters for single slave zone > if SOA serial is locally significant because serial numbers between > masters aren't synchronized. It will cause problems with zone > transfers from multiple masters to single slave. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] SOA generation algorythm
Hello, Is the SOA generation algorithm for zones documented anywhere or anyone by chance knows what it is? We have cluster of 8 nodes and SOA is different on some IPAs in some zones (with huge amount of changes). But if I make a change I actually see it on different IPA. Also, restarting IPA increases SOA by 1. We wanted to relay on SOA on our DNS consistency check but seems like it's not a working idea, or is it? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Everyone is disabled in UI
Hi, My IPA shows every user as "disabled" when in UI I go to the user's page. Also the password policy fields are empty and if I am filling in something new like phone number it's not showing up in the IU after I save it. But in cli everything is correct and shown. Users list also shows everyone as "enabled". Did anyone have seen something like this? Version: 4.6.4-10 CentOS 7 -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Search for sertificates
Thanks, I was actually looking fro certificates with notAfter within 20 days period from now. This works in case someone needs: ldapsearch -x -D 'cn=directory manager' -W -b ou=certificateRepository,ou=ca,o=ipaca "(&(certStatus=VALID)(notAfter<=date -d "+20 days" "+%Y%m%d00Z")(notAfter>=date "+%Y%m%d00Z"))" On Mon, Feb 25, 2019 at 4:31 PM Rob Crittenden wrote: > Andrey Bondarenko via FreeIPA-users wrote: > > Hello, > > > > Are there any possibilities to fetch certificates from the IPA that are > > (1) valid, (2) will expire in 20 (for example) days? > > > > ipa cert-find --validnotafter-to=`date -d "+20 days" "+%Y-%m-%d" > > > > shows revoked serts, unfortunately. May be some ldapsearch? > > > > -- > > There are limited bind options to the CA repository. This is how you can > see the certificate data. Creating a query for your needs should be > pretty straightforward. > > ldapsearch -x -D 'cn=directory manager' -W -b > ou=certificateRepository,ou=ca,o=ipaca > > rob > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Search for sertificates
Hello, Are there any possibilities to fetch certificates from the IPA that are (1) valid, (2) will expire in 20 (for example) days? ipa cert-find --validnotafter-to=`date -d "+20 days" "+%Y-%m-%d" shows revoked serts, unfortunately. May be some ldapsearch? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Modsecurity for admin account lockout protection
Unfortunately we have to use admin. Seems it does not brake API though, I've used different tests with 'admin' and it all passes. I am looking for the situation where 'admin' is a part of the POST as an argument like it is during the form based login. On Wed, Feb 6, 2019 at 2:14 PM Rob Crittenden wrote: > Andrey Bondarenko via FreeIPA-users wrote: > > Hello, > > > > in a situation when freeipa is exposed interface to the internet, there > > would be bolts trying to bruteforce admin account that made it locked. I > > come with modsecurity setting for the nss.conf: > > > > SecRule ARGS:user "@contains admin" "id:1234,deny,status:403"' > > > > Admin user is no longer avaliable from UI, Kerberos > > > > login is not affected, cli and WebUI login for other users are not > > affected. Can it brake something? > > It most likely also locks admin out of using the API which would break > things if you actually use it. > > Note that for the most part [1], if not everywhere, there is nothing > special about the user named admin. The admins group holds all the > power. So you may be better off adding other users to admins and locking > the admin account manually (keep it around just in case and enable only > when/if necessary). > > rob > > [1] I think that as of 4.7 all places where admin was hardcoded is gone. > Before some point it was hardcoded in, IIRC, ipa-replica-install somewhere. > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Modsecurity for admin account lockout protection
Hello, in a situation when freeipa is exposed interface to the internet, there would be bolts trying to bruteforce admin account that made it locked. I come with modsecurity setting for the nss.conf: SecRule ARGS:user "@contains admin" "id:1234,deny,status:403"' Admin user is no longer avaliable from UI, Kerberos login is not affected, cli and WebUI login for other users are not affected. Can it brake something? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to import ca.crt in Chrome
You can try to convert it to some other format like https://www.sslshopper.com/ssl-converter.html On Tue, Nov 13, 2018 at 10:58 AM Kees Bakker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > When I import my FreeIPA's ca.crt in Google Chrome I'm getting > an error: > Certification Authority Import Error > Unable to parse file > > How should I import the CERT in Google Chrome (version 71)? > > BTW. The import works fine in Firefox (version 53) > -- > Kees > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Deployment without CA
It would create CSR for you on install. On Wed, Oct 31, 2018 at 1:22 PM Henrik Johansson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > I am looking at using FreeIPA without CA, using external signed > certificates, reading the documentations it looks possible using > —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create > a CSR for the hostname by by hand and get it signed? Also is there any good > reason for having different certs for http, ldap and pkinit? Can I just use > one certificate for all services and for all servers and replicas using > Subject Alternative Names? > > Regards > Henrik > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa-server-install --uninstall damages all the cluster
Hello, Just want to share that is known issue to our cluster: 1 - install new replica 2 - install of the replica fails for any reason (in my case it was due to I am unable to set the server which custodia uses in the ipa-server-istall command line) 3 - ipa-server-install --uninstall 4 - RUVs from 1970--00-00 and slapd's eating all the CPU they have. So correct way is always to clean up the failed replica from the cluster first, not to use --uninstall. It's centos 7.5. -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Multiple CA certs
Awesome, thanks! On Mon, Oct 15, 2018 at 5:27 PM Rob Crittenden wrote: > Andrey Bondarenko wrote: > > Thank you! > > > >> You'll need to delete the blobs out of LDAP using ldapmodify or > > ldapdelete. > > > > But those certs are located not only in LDAP, am I correct? Wouldn't I > > brake the consistency of the IPA if I will ldapdelete them? > > Re-run ipa-certupdate to refresh local files/NSS databases. > > rob > > > > > On Mon, Oct 15, 2018 at 4:52 PM Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: > > > > Andrey Bondarenko via FreeIPA-users wrote: > > > Hello, > > > > > > after some tests with Letsencrypt on my test env DEVDOMAN.COM > > <http://DEVDOMAN.COM> > > > <http://DEVDOMAN.COM> I have something like this: > > > ipa-replica-install --mkhomedir --setup-ca --setup-dns > > > --auto-forwarders -p password > > > > > > Successfully retrieved CA cert > > > Subject: CN=Certificate Authority,O=DEVDOMAIN.COM > > <http://DEVDOMAIN.COM> > > > <http://DEVDOMAIN.COM> > > > Issuer: CN=Certificate Authority,O=DEVDOMAIN.COM > > <http://DEVDOMAIN.COM> > > > <http://DEVDOMAIN.COM> > > > Valid From: 2018-09-27 12:48:51 > > > Valid Until: 2038-09-27 12:48:51 > > > > > > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. > > > Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. > > > Valid From: 2000-09-30 21:12:19 > > > Valid Until: 2021-09-30 14:01:15 > > > > > > Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US > > > Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. > > > Valid From: 2016-03-17 16:40:46 > > > Valid Until: 2021-03-17 16:40:46 > > > > > > (2) and (3) should be deleted. > > > > Ok, unfortunately there is no remove option in cacert-manage :-( > (there > > is an RFE for it). > > > > You'll need to delete the blobs out of LDAP using ldapmodify or > > ldapdelete. > > > > You will find them in cn=certificates,cn=ipa,cn=etc,dc=example,dc=com > > > > rob > > > > > > > > > > > On Fri, Oct 12, 2018 at 9:49 PM Rob Crittenden > > mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > > > Andrey Bondarenko via FreeIPA-users wrote: > > > > Hello, > > > > > > > > If anyone can point me in the right direction how to remove > CA's > > > certs I > > > > don't need from the freeipa safely? > > > > > > Remove from where? How were they added? > > > > > > rob > > > > > > > > > > > > -- > > > > > > > > > With best regards, Andrey Bondarenko mail:m...@andreybondarenko.com > > <mailto:mail%3...@andreybondarenko.com> > > > <mailto:mail%3...@andreybondarenko.com > > <mailto:mail%253...@andreybondarenko.com>> > https://andreybondarenko.com > > > <https://andreybondarenko.com/> skype:andrey.bondarenko phone, > > Telegram, > > > WhatsApp, etc:+420-773-591-443 > > > > > > > > > 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B > > > > > > > > > > > > > > > > > > > > > ___ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > -- > > > > > > With best regards, Andrey Bondarenko mail:m...@andreybondarenko.com > > <mailto:mail%3...@andreybondarenko.com> https://andreybondarenko.com > > <https://andreybondarenko.com/> skype:andrey.bondarenko phone, Telegram, > > WhatsApp, etc:+420-773-591-443 > > > > > > 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B > > > > > > > > > > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Multiple CA certs
Thank you! > You'll need to delete the blobs out of LDAP using ldapmodify or ldapdelete. But those certs are located not only in LDAP, am I correct? Wouldn't I brake the consistency of the IPA if I will ldapdelete them? On Mon, Oct 15, 2018 at 4:52 PM Rob Crittenden wrote: > Andrey Bondarenko via FreeIPA-users wrote: > > Hello, > > > > after some tests with Letsencrypt on my test env DEVDOMAN.COM > > <http://DEVDOMAN.COM> I have something like this: > > ipa-replica-install --mkhomedir --setup-ca --setup-dns > > --auto-forwarders -p password > > > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=DEVDOMAIN.COM > > <http://DEVDOMAIN.COM> > > Issuer: CN=Certificate Authority,O=DEVDOMAIN.COM > > <http://DEVDOMAIN.COM> > > Valid From: 2018-09-27 12:48:51 > > Valid Until: 2038-09-27 12:48:51 > > > > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. > > Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. > > Valid From: 2000-09-30 21:12:19 > > Valid Until: 2021-09-30 14:01:15 > > > > Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US > > Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. > > Valid From: 2016-03-17 16:40:46 > > Valid Until: 2021-03-17 16:40:46 > > > > (2) and (3) should be deleted. > > Ok, unfortunately there is no remove option in cacert-manage :-( (there > is an RFE for it). > > You'll need to delete the blobs out of LDAP using ldapmodify or ldapdelete. > > You will find them in cn=certificates,cn=ipa,cn=etc,dc=example,dc=com > > rob > > > > > > > On Fri, Oct 12, 2018 at 9:49 PM Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: > > > > Andrey Bondarenko via FreeIPA-users wrote: > > > Hello, > > > > > > If anyone can point me in the right direction how to remove CA's > > certs I > > > don't need from the freeipa safely? > > > > Remove from where? How were they added? > > > > rob > > > > > > > > -- > > > > > > With best regards, Andrey Bondarenko mail:m...@andreybondarenko.com > > <mailto:mail%3...@andreybondarenko.com> https://andreybondarenko.com > > <https://andreybondarenko.com/> skype:andrey.bondarenko phone, Telegram, > > WhatsApp, etc:+420-773-591-443 > > > > > > 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B > > > > > > > > > > > > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Multiple CA certs
Hello, after some tests with Letsencrypt on my test env DEVDOMAN.COM I have something like this: ipa-replica-install --mkhomedir --setup-ca --setup-dns --auto-forwarders -p password Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DEVDOMAIN.COM Issuer: CN=Certificate Authority,O=DEVDOMAIN.COM Valid From: 2018-09-27 12:48:51 Valid Until: 2038-09-27 12:48:51 Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: 2000-09-30 21:12:19 Valid Until: 2021-09-30 14:01:15 Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: 2016-03-17 16:40:46 Valid Until: 2021-03-17 16:40:46 (2) and (3) should be deleted. On Fri, Oct 12, 2018 at 9:49 PM Rob Crittenden wrote: > Andrey Bondarenko via FreeIPA-users wrote: > > Hello, > > > > If anyone can point me in the right direction how to remove CA's certs I > > don't need from the freeipa safely? > > Remove from where? How were they added? > > rob > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Multiple CA certs
Hello, If anyone can point me in the right direction how to remove CA's certs I don't need from the freeipa safely? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] CA private key quick question
Hello, Do we have private key on all nodes of the FreeIPA cluster? I am confused with comment create_pkcs12 tells us whether we should create a PKCS#12 file of the CA or not. If we are running on a replica then we won't have the private key to make a PKCS#12 file so we don't need to do that step. in the certs.py. -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa-ca-install failure with very few info
/var/log/pki/pki-tomcat/ca/debug does not exist, /var/log/pki/pki-ca-spawn-*.log does not show any error, everything is as expected. The signing cert is: caSigningCert cert-pki-caCTu,Cu,Cu However, it shows it uses /etc/pki/pki-tomcat/ everywhere in the variables and at the moment /etc/pki/pki-tomcat/ does not exist. Is it expected? Was it there on the stage when ca-spawn was active? On Mon, Oct 1, 2018 at 2:16 PM Rob Crittenden wrote: > Andrey Bondarenko via FreeIPA-users wrote: > > Hello, > > > > I have IPA cluster with several nodes and I have a problem installing > > there another replica with CA enabled. If I want to add CA role to one > > of the nodes: > > > > [root@ipa01:~] ipa-ca-install -w SECRET > > Directory Manager (existing master) password: > > > > Run connection check to master > > Connection check OK > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > > [1/25]: creating certificate server db > > [2/25]: setting up initial replication > > Starting replication, please wait until this has completed. > > Update in progress, 953 seconds elapsed > > Update succeeded > > > > [3/25]: creating installation admin user > > [4/25]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > > configure CA instance: Command '/usr/sbin/pkispawn -s CA -f > > /mnt/tmp/tmpXX' returned non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > > installation logs and the following files/directories for more > information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > CA configuration failed. > > > > In the log file, the only error I see is > > > > WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use > > 'pki_sslserver_nickname' instead. > > WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. > > Use 'pki_sslserver_subject_dn' instead. > > ERROR: Unable to access security domain: 503 Server Error: Service > > Unavailable > > > > Where should I dig? > > You need to look at the dogtag logs, /var/log/pki/pki-ca-spawn-*.log and > /var/log/pki/pki-tomcat/ca/debug > > rob > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token
Hi, did you have resolved this issue? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa-ca-install failure with very few info
Hello, I have IPA cluster with several nodes and I have a problem installing there another replica with CA enabled. If I want to add CA role to one of the nodes: [root@ipa01:~] ipa-ca-install -w SECRET Directory Manager (existing master) password: Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 953 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /mnt/tmp/tmpXX' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. In the log file, the only error I see is WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use 'pki_sslserver_nickname' instead. WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. Use 'pki_sslserver_subject_dn' instead. ERROR: Unable to access security domain: 503 Server Error: Service Unavailable Where should I dig? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to replace a failed CA?
Bret, did you have any luck in the end of the day? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
