Re: [Freeipa-users] Excessive CPU usage by ns-slapd
On 02/19/2015 12:11 PM, Jim Richard wrote: Hi Rich, here’s what all 4 of my IPA servers look like right now. You can see that SSO-107’s CPU usage is much higher than the other 3 and it spikes to over 100% often. And what I see over time is that the higher and higher cpu usage will happen between two of my four servers, one will drop off and the other increases and each time this cycle happens, the cpu usage on the one server that is spiking will get a little bit higher. The two servers that show this behavior are SSO-107 and SSO-109. SSO-107 is almost entirely idle except for 1 thread doing replication updates, and the poll thread. There are 255 descriptors it is polling on. SSO-109 is entirely idle except for the poll thread. There are 230 descriptors it is polling on. You might try using top with the ns-slapd process and the 'H' - Threads mode flag. It would be very interesting to see the cpu usage breakdown by thread. If it is indeed the poll thread that is consuming all of the cpu, there's not much that can be done. CPU usage in the poll thread is a function of the number of connections, but since there is not much difference between 230 and 255, I would not expect a large CPU usage difference between 107 and 109 based solely on number of connections. Are you seeing timeouts or application failures or poor performance that seems to be due to high CPU usage? If so, and these are virtual machines, you might consider adding more virtual CPUs to give the server more processing power for the worker threads to compensate for monopolization by the poll thread. I’ve attached some more detailed stack trace as well. Here’s what my replication agreements look like: [root@sso-107 (NY) ~]$ ipa-replica-manage list sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net: master sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net: master sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net: master sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net: master [root@sso-107 (NY) ~]$ ipa-replica-manage list sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net: replica sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net: replica [root@sso-107 (NY) ~]$ ipa-replica-manage list sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net: replica sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net: replica [root@sso-107 (NY) ~]$ ipa-replica-manage list sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net: replica sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net: replica [root@sso-107 (NY) ~]$ ipa-replica-manage list sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net: replica sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net: replica SSO-107 top - 15:58:08 up 2 days, 10:00, 1 user, load average: 0.00, 0.03, 0.06 Tasks: 1 total, 0 running, 1 sleeping, 0 stopped, 0 zombie Cpu(s): 12.2%us, 1.1%sy, 0.0%ni, 86.7%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2952788k total, 2160216k used, 792572k free, 182584k buffers Swap: 4094972k total,0k used, 4094972k free, 678292k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 11615 dirsrv20 0 2063m 843m 19m S 25.5 29.3 403:53.56 ns-slapd [root@sso-107 (NY) /var/log/dirsrv/slapd-PLACEIQ-NET]$ ls -al /proc/`cat /var/run/dirsrv/slapd-PLACEIQ-NET.pid`/fd|grep socket|wc -l 245 SSO-108 top - 15:57:26 up 3 days, 17:25, 1 user, load average: 0.03, 0.03, 0.00 Tasks: 1 total, 0 running, 1 sleeping, 0 stopped, 0 zombie Cpu(s): 0.3%us, 0.2%sy, 0.0%ni, 99.4%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2952788k total, 2200792k used, 751996k free, 182084k buffers Swap: 4094972k total,0k used, 4094972k free, 713848k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 24399 dirsrv20 0 2055m 819m 19m S 0.8 28.4 54:48.53 ns-slapd [root@sso-108 (NY) /var/log/dirsrv/slapd-PLACEIQ-NET]$ ls -al /proc/`cat /var/run/dirsrv/slapd-PLACEIQ-NET.pid`/fd|grep socket|wc -l 232 SSO-109 top - 16:00:05 up 4 days, 9:10, 1 user, load average: 0.06, 0.32, 0.35 Tasks: 1 total, 0 running, 1 sleeping, 0 stopped, 0 zombie Cpu(s): 0.7%us, 0.3%sy, 0.0%ni, 98.9%id, 0.2%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2952788k total, 2422572k used, 530216k free, 235472k buffers Swap: 4094972k total,0k used, 4094972k free, 906080k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 22522 dirsrv20 0 2065m 772m 19m S 1.2 26.8 308:13.07 ns-slapd [root@sso-109 (NY) ~]$ ls -al /proc/`cat /var/run/dirsrv/slapd-PLACEIQ-NET.pid`/fd|grep socket|wc -l 219 SSO-110 top - 16:07:54 up 14 days, 18:03, 1
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Hey guys, for what it’s worth, I spent a couple weeks working with Endi Sukma Dewata, edew...@redhat.com, Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail”. Unfortunately my post subject was not accurate but in fact, I was attempting the exact same thing and seeing the exact same error. The main LDAP instance would come up ok but upon attempting to migrate the PKI stuff with the new ldap schema etc, it just fails… In the end we couldn’t figure it out, basically had to just give up. Maybe one of you could reach out to Endi and he could share some insights. I’d love to be able to make this work as well but as of now it looks like my only option if I want to upgrade to version 3.3/Centos 7 is well, there is no option…. I’d be happy to share or help in any way. Jim Richard | PlaceIQ http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2Fsa=Dsntz=1usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw | Systems Administrator | jrich...@placeiq.com mailto:n...@placeiq.com | +1 (646) 338-8905 On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi wrote: Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda
[Freeipa-users] How to remove an offline replica?
Hi! I have a replica which is offline, and I'd like to remove it (to be later replaced). When trying to remove the replica with ipa-replica-manage according to the instructions on the wiki, I get an error about inaccessible LDAP server: # ipa-replica-manage del ipa-1.example.com Connection to 'ipa-1.example.com' failed: Can't contact LDAP server Unable to delete replica 'ipa-1.example.com' ipa-1.example.com is the IPA replica and I am executing the command on IPA master. I also tried disconnect, but the result was the same: # ipa-replica-manage disconnect ipa-1.example.com Failed to get list of agreements from 'ipa-1.example.com': Can't contact LDAP server Does anyone have a hint on how to get the replica removed? I'm running ipa-server-3.0.0-42 on CentOS 6.6. Thanks! Best regards, Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to remove an offline replica?
Thomas Raehalme wrote: Hi! I have a replica which is offline, and I'd like to remove it (to be later replaced). When trying to remove the replica with ipa-replica-manage according to the instructions on the wiki, I get an error about inaccessible LDAP server: # ipa-replica-manage del ipa-1.example.com http://ipa-1.example.com Connection to 'ipa-1.example.com http://ipa-1.example.com' failed: Can't contact LDAP server Unable to delete replica 'ipa-1.example.com http://ipa-1.example.com' ipa-1.example.com http://ipa-1.example.com is the IPA replica and I am executing the command on IPA master. I also tried disconnect, but the result was the same: # ipa-replica-manage disconnect ipa-1.example.com http://ipa-1.example.com Failed to get list of agreements from 'ipa-1.example.com http://ipa-1.example.com': Can't contact LDAP server Does anyone have a hint on how to get the replica removed? I'm running ipa-server-3.0.0-42 on CentOS 6.6. Add the --force flag. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to remove an offline replica?
On Thu, Feb 19, 2015 at 9:41 PM, Thomas Raehalme thomas.raeha...@codecenter.fi wrote: # ipa-replica-manage del ipa-1.example.com Connection to 'ipa-1.example.com' failed: Can't contact LDAP server Unable to delete replica 'ipa-1.example.com' And right after posting I found the --force command-line parameter which did the trick! Best regards, Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 19.2.2015 02:47, Steven Jones wrote: Hi, There is always a tradeoff between ease of use, complexity/cost and security. Looking at what you have written suggests to me that your entire system lacks a proper security / network architecture model and you are trying to enforce a policy from one point, IPA. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Martin Minkus martin.min...@sonic.com Sent: Thursday, 19 February 2015 1:06 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and Application Specific Passwords Hello all, Am wondering what support FreeIPA has for Application Specific Passwords? My research seems to indicate 'none'. I've seen quite a few people ask about this, usually the example is wanting a separate password for dovecot etc. Google itself implemented this, allowing multiple passwords for imap accounts in gmail so that a stolen phone or ipad doesn't give the thief complete unfettered access to the entire google account. The single password can be easily changed or locked out and even if it is not, it only has access to email. I work for an organisation and we are looking at standardising on FreeIPA for all our single sign on and auth requirements. Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins If I understand correctly, your biggest worry is that somebody will steal user credentials via web form, right? IMHO the best option is to get rid of passwords in web apps completely and use true single-sign-on. The simplest thing may be just to use mod_auth_kerb and put the application behind Kerberos but more complex/flexible/fancy approaches are possible too, see http://www.freeipa.org/page/Web_App_Authentication This is 'The Approach' we are trying to pursue in FreeIPA project - authenticate only once (when logging in to a machine) and never type password again. This allows you to use two-factor authentication without apps knowing about it etc. Alternative is to use SAML/OpenID/other web technology to tie web apps to web-based authentication portal which may allow SSO from Kerberos (without mod_auth_kerb) or to simply have single trusted place to log-in from web form. I hope Jan or Simo can correct my misunderstandings and add more details. Have a nice day! Petr^2 Spacek - VPN logins - Tacacs I'm assuming it's somewhat understandable to want to keep web logins separate - web sites are notoriously insecure, and we wouldn't want an employee's web login getting stolen/phished/etc giving an attacker vpn access, kerberos/ldap access to all our linux servers, and tacacs access to network infrastructure. The solution I've seen suggested to others that have asked about FreeIPA or OpenLDAP and Application Specific Passwords seems to be: Just create a separate user login for each application. Messy, but sure. I also see we could extend the schema and add in extra fields like webPassword and vpnPassword, but we'd have to maintain those fields/enforce complexity and length requirements/password expiry ourselves which is less than ideal. Or the final option might just be to run separate ldap instances for each application, so the username stays the same group membership is application specific in each ldap instance, and it gives us the password separation we desire. Also, most users don't need tacacs access or vpn access, though most(all) users will need web application access. Anyway. I'm wondering if there are any other potential options that I have missed? Or some better way we should be going about this? Yeah, we should probably trust our employees with their passwords more but apparently that is not the case. Thanks, Martin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 01:06 AM, Martin Minkus wrote: Hello all, Am wondering what support FreeIPA has for Application Specific Passwords? My research seems to indicate 'none'. I've seen quite a few people ask about this, usually the example is wanting a separate password for dovecot etc. Google itself implemented this, allowing multiple passwords for imap accounts in gmail so that a stolen phone or ipad doesn't give the thief complete unfettered access to the entire google account. The single password can be easily changed or locked out and even if it is not, it only has access to email. I work for an organisation and we are looking at standardising on FreeIPA for all our single sign on and auth requirements. Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins - VPN logins - Tacacs I'm assuming it's somewhat understandable to want to keep web logins separate - web sites are notoriously insecure, and we wouldn't want an employee's web login getting stolen/phished/etc giving an attacker vpn access, kerberos/ldap access to all our linux servers, and tacacs access to network infrastructure. I am not sure what exactly is the fear here. If FreeIPA Web Authentication modules are used (http://www.freeipa.org/page/Web_App_Authentication), the user credentials are not stored on the web server, they go straight to SSSD where the user get's authenticated to remote LDAP (FreeIPA/AD). Alternatively, you could also set up SAML with mod_auth_mellon and Ipsilon to get a federated login where the web app would never get to the actual password. The solution I've seen suggested to others that have asked about FreeIPA or OpenLDAP and Application Specific Passwords seems to be: Just create a separate user login for each application. Messy, but sure. I also see we could extend the schema and add in extra fields like webPassword and vpnPassword, but we'd have to maintain those fields/enforce complexity and length requirements/password expiry ourselves which is less than ideal. Or the final option might just be to run separate ldap instances for each application, so the username stays the same group membership is application specific in each ldap instance, and it gives us the password separation we desire. Also, most users don't need tacacs access or vpn access, though most(all) users will need web application access. Anyway. I'm wondering if there are any other potential options that I have missed? Or some better way we should be going about this? Yeah, we should probably trust our employees with their passwords more but apparently that is not the case. Thanks, Martin. I think we have exactly this request tracked: https://fedorahosted.org/freeipa/ticket/4510 It already contains long discussion on the topics with some ideas. We still miss the horsepower to actually add support for it though. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] New Replacing Master server help
On 02/18/2015 07:46 PM, Dmitri Pal wrote: On 02/18/2015 12:17 PM, Cory Carlton wrote: Hey all. We are in the process of essentially moving data centers while additionally changing to new OS(rhel from centos) - so we are building replica with master option servers to the new networks. version 3.0.. its up and is working as any of our instances. Question is how or what do I need to bring over on the new install -replica master(s) to ensure we have all the Original master server information, keys, crt's, CA etc. before we can shut it down for ever (+ a snapshot ;) ) we have struggled understanding exactly what to back up since the 3.0 version is lacking backup scripts. a thought, but not timely present would be to upgrade everything in place then migrate, again not timed right for us. Thanks in advance. Cory You need to make sure that at least one of the new replicas (better two) acts as an IPA CA. You need to move CRL generation to one of the new replicas that are CAs You need to move the certificate tracking from the old master to the new replica with CA. After that you can decommission old master. All these procedures are documented on the wiki and RHEL docs. You can also find some hints in these archives. Martin, do you think we need a combined wiki page that covers this use case or we already have something like this? I think we are already well set. This is the upstream page: http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS This is the downstream documentation, mostly targetted on RHEL-6.x to RHEL-7.0 migration, but also applicable on your use case: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ipa-getcert list fails to report correctly
Hi all, The following is blocking the ability for me to install a CA replica. Environment: RHEL 6.6 IPA 3.0.0-42 PKI 9.0.3-38 On the master the following is happening: ipa-getcert list Number of certificates and requests being tracked: 5. (but it shows no certificate details in the output) Running getcert list shows complete output. Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed response. The apache error logs on the master show [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate The reason I am trying to browse that address is because that's what the ipa-ca-install setup is failing at (it complains that the CA certificate is not in proper format, in fact it's not able to get it at all). I know from another working ipa setup that Browsing to the above address provides valid xml content and ipa-getcert list shows certificate details and not just the number of tracked certificates. Been trying for a long time to figure out the issues without luck. I would greatly appreciate any help to troubleshoot and resolve the above issues. Regards, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 05:23 PM, Dmitri Pal wrote: On 02/19/2015 05:06 AM, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). IMO the case is: I have a phone and a tablet and a laptop. I do not want to use one password for all three. On the phone and tablet people save their passwords so I do not want to have same password cached on all devices. I want to have a password per device. IMO the way to go is certs rather than passwords. Certs would certainly help in this case. However, the UX would need to be really good in order to beat saved password in GMail style, IMO. We are not there yet but with upcoming changes we will get much closer. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä, että koko kansaa kuullaan, myös eri kulttuureista tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella maahanmuuttajia enemmän. HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? -- -- Jani West -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 11:29 AM, Martin Kosek wrote: On 02/19/2015 05:23 PM, Dmitri Pal wrote: On 02/19/2015 05:06 AM, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). IMO the case is: I have a phone and a tablet and a laptop. I do not want to use one password for all three. On the phone and tablet people save their passwords so I do not want to have same password cached on all devices. I want to have a password per device. IMO the way to go is certs rather than passwords. Certs would certainly help in this case. However, the UX would need to be really good in order to beat saved password in GMail style, IMO. I imagine Ipsilon based SSO when Ipsilon can make a decision which assertions to issue depending on the cert you have. We are not there yet but with upcoming changes we will get much closer. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 05:06 AM, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). IMO the case is: I have a phone and a tablet and a laptop. I do not want to use one password for all three. On the phone and tablet people save their passwords so I do not want to have same password cached on all devices. I want to have a password per device. IMO the way to go is certs rather than passwords. We are not there yet but with upcoming changes we will get much closer. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
Thanks for all the info. I think I will go the trust route with IPA 4.1 and see what happens (in a test environment first of course.) From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, February 17, 2015 6:25 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication Ok, So with winsync I will have the 2000+ users in IPA. Within IPA I have several high risk/impact groups of servers and many low. For the low risk/impact servers and most desktops they can trust what AD tells them. For the high risk/impact servers/applications we do not want to reply on AD for any authorisation so permissions for these will be isolated from AD inside IPA. The idea is if we lose AD or IPA we should not lose both via any cross-linking. regards Steven From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com on behalf of Dmitri Pal d...@redhat.commailto:d...@redhat.com Sent: Wednesday, 18 February 2015 11:51 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication On 02/17/2015 05:21 PM, Steven Jones wrote: ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. 8-- They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. That I get. I do not understand how trust helps you in this case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] WebUI authentication problems
I just installed a new server on Fedora 21 Server, using the rolekit deployment tool. Everything was installed and configured (I hope) properly, but I'm running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only after a restart of ipa.service. After approximately 15 minutes, I am kicked out of the active session - while in the middle of using it - and cannot log back in. Login was attempted from 4 browsers across two machines, and every time the login screen returns with Your session has expired. Please re-login. /var/log/httpd/errors is showing the following: [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ Restarting httpd, I can log in, and am immediately logged out again with the above errors. Restarting ipa.service, I was able to log in with my user account, and was notified that my password expires in 0 days - even though it was just created less than an hour ago. Is this a known issue, or is there a hidden problem with the rolekit deployment that I need to track down? -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On 02/19/2015 02:54 PM, Jim Richard wrote: Hey guys, for what it's worth, I spent a couple weeks working with Endi Sukma Dewata, edew...@redhat.com mailto:edew...@redhat.com, Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail. Unfortunately my post subject was not accurate but in fact, I was attempting the exact same thing and seeing the exact same error. The main LDAP instance would come up ok but upon attempting to migrate the PKI stuff with the new ldap schema etc, it just fails... If you have been gradually upgrading it might very well be that you are hitting some of the earlier bugs related to cert tracking. The page can help you with troubleshooting http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates You need to see whether the certs on the master have expired and whether they are now properly tracked. Rob is this the right way of checking the cert validity (see previous mail in the thread)? In the end we couldn't figure it out, basically had to just give up. Maybe one of you could reach out to Endi and he could share some insights. I'd love to be able to make this work as well but as of now it looks like my only option if I want to upgrade to version 3.3/Centos 7 is well, there is no option I'd be happy to share or help in any way. Jim Richard | PlaceIQ http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2Fsa=Dsntz=1usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw | Systems Administrator | jrich...@placeiq.com mailto:n...@placeiq.com | +1 (646) 338-8905 On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi mailto:jw...@iki.fi wrote: Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your