Dagan McGregor via FreeIPA-users wrote:
> Hi all,
>
> We have a number of CentOS 7 hosts enrolled with FreeIPA, and I have noticed
> the ldap.conf on some hosts has two separate URI lines, similar to this:
>
> URI ldaps://ipa.example.com
> BASE dc=example,dc=com
> TLS_CACERT /etc/ipa/ca.crt
> UR
Hi all,
We have a number of CentOS 7 hosts enrolled with FreeIPA, and I have noticed
the ldap.conf on some hosts has two separate URI lines, similar to this:
URI ldaps://ipa.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/ipa/ca.crt
URI https://ipa.example.com
This caused our configuration m
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users
wrote:
> Hi,
>
>
> Checked AVCs first. Selinux is always a burden on our Fedora Clients.
>
> Certmonger is still trying.
>
> Does it make sense to make some timetravel for certificate renewal with the
> Renewal master
Ian Pilcher wrote:
> On 01/30/2018 02:27 PM, Rob Crittenden wrote:
>> Not sure what you mean by arbitrary. You can definitely generate a CSR
>> using your favorite tool and pass that to ipa cert-request.
>
> By arbitrary I meant a CSR/certificate that doesn't correspond to a host
> (or user) that
On 01/30/2018 02:27 PM, Rob Crittenden wrote:
Not sure what you mean by arbitrary. You can definitely generate a CSR
using your favorite tool and pass that to ipa cert-request.
By arbitrary I meant a CSR/certificate that doesn't correspond to a host
(or user) that is managed by the FreeIPA serv
Ian Pilcher via FreeIPA-users wrote:
> On 01/30/2018 09:53 AM, Rob Crittenden wrote:
>> Ian Pilcher via FreeIPA-users wrote:
>>>
>>> Jumping in to this thread ... I know how to generate a keypair and CSR,
>>> but I've never been able to figure out how to get FreeIPA to generate a
>>> certificate fr
On 01/30/2018 09:53 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
Jumping in to this thread ... I know how to generate a keypair and CSR,
but I've never been able to figure out how to get FreeIPA to generate a
certificate from a CSR.
If there's documentation somewhere that I'v
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with
the Renewal master, even if the renewal didn't work when the
certificates where still valid?
On 30.01.2018 16:42,
Hello Flo,
I'm resending the mail since my first response was rejected because of SPF, and
only found its way to the mailing list...
Many thanks again for your response. First of all, I've figured out that
the package "pki-symkey" was missing, so I've installed it with yum.
Now, according to s
Hello Flo,
and thanks again for your response. First of all, I've figured out that
the package "pki-symkey" was missing, so I've installed it with yum.
Now, according to systemctl, pki-tomcatd is running:
root@mat-ipa-master-1:~$ systemctl status pki-tomcatd@pki-tomcat.service
● pki-tomcatd@p
Andrew Meyer via FreeIPA-users wrote:
> I was just checking the web admin on my secondary node (still in testing
> phase) but it won't resolve at all. I'm not sure why.
>
> These are the only errors I have from the Apache logs:
>
>
>
>
> [Tue Jan 30 09:49:54.429727 2018] [mpm_prefork:notice]
Please ignore. This is an issue w/ my proxy.
On Tuesday, January 30, 2018 10:01 AM, Andrew Meyer via FreeIPA-users
wrote:
I was just checking the web admin on my secondary node (still in testing
phase) but it won't resolve at all. I'm not sure why.
These are the only errors I have f
I was just checking the web admin on my secondary node (still in testing phase)
but it won't resolve at all. I'm not sure why.
These are the only errors I have from the Apache logs:
[Tue Jan 30 09:49:54.429727 2018] [mpm_prefork:notice] [pid 3637] AH00170:
caught SIGWINCH, shutting down gra
Ian Pilcher via FreeIPA-users wrote:
> On 01/29/2018 05:32 PM, Fraser Tweedale via FreeIPA-users wrote:
>> Ideally you should generate the keys and create a CSR on the device.
>> Then use IPA to issue certificates for the user.
>
> Jumping in to this thread ... I know how to generate a keypair and
Matt . via FreeIPA-users wrote:
> Hi,
>
> I can do!
>
> Can it be that the certificate, self signed, is more of a security issue now
> and that causes the problem ? In the past I was able to use a selfsigned one
> for internal tests.
>
As I asked in IRC you need to provide a GOOD description
On 01/29/2018 05:32 PM, Fraser Tweedale via FreeIPA-users wrote:
Ideally you should generate the keys and create a CSR on the device.
Then use IPA to issue certificates for the user.
Jumping in to this thread ... I know how to generate a keypair and CSR,
but I've never been able to figure out h
Christof Schulze via FreeIPA-users wrote:
> Hi,
>
> Here may be the problem, all are masters, the idm1 I am working on is
> the CA renewal master (checked ldap and config-show).
>
> IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
> IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8k
Trevor Vaughan via FreeIPA-users wrote:
> Hi All,
>
> I have a setup where I have a root CA and a sub CA and the sub CA is set
> up with a KRA and SCEP enabled.
>
> I've fired up certmonger and added the SCEP CA.
>
> When I attempt to request a certificate, the enrollment completes
> successfull
Hi,
I can do!
Can it be that the certificate, self signed, is more of a security issue now
and that causes the problem ? In the past I was able to use a selfsigned one
for internal tests.
Cheers,
Matt
___
FreeIPA-users mailing list -- freeipa-users@
Hi,
Here may be the problem, all are masters, the idm1 I am working on is
the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA NTP servers: idm1.ww8
Hi All,
I have a setup where I have a root CA and a sub CA and the sub CA is set up
with a KRA and SCEP enabled.
I've fired up certmonger and added the SCEP CA.
When I attempt to request a certificate, the enrollment completes
successfully per the Dogtag side of the equation but the response fro
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters
since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired
"subsystemCert cert-pki-ca" , "ocspSigningCert cer
On 01/24/2018 07:35 PM, Harald.Husemann--- via FreeIPA-users wrote:
Hello Flo,
thanks for your answer, and for the explanation of the certutil output. I have
tried your suggestion, first with sudo:
hhuseman@mat-ipa-master-1:~$ sudo kinit -kt /etc/krb5.keytab
[sudo] password for hhuseman:
Sorry
Hi,
Now the roof is on fire, all certificates are synced on all masters
since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired
"subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" ,
"/var/lib/ipa/ra-agent.pem"
The "auditSigningCert
Perfect. The example has been very clear.
Thank you very much!
Regards,
Daniele
On 30 January 2018 at 11:00, Alexander Bokovoy wrote:
> On ti, 30 tammi 2018, Daniele Liciotti via FreeIPA-users wrote:
>>
>> Hi,
>>
>> I have connected my FreeIPA server with an AD in trust. Is it possible
>> to ass
On ti, 30 tammi 2018, Daniele Liciotti via FreeIPA-users wrote:
Hi,
I have connected my FreeIPA server with an AD in trust. Is it possible
to assign special permissions (sudo) to some AD users? I noticed that
the policies can only be set to AD group.
Policies can only be assigned to POSIX users
Hi,
I have connected my FreeIPA server with an AD in trust. Is it possible
to assign special permissions (sudo) to some AD users? I noticed that
the policies can only be set to AD group.
Thanks in advance,
Daniele
___
FreeIPA-users mailing list -- freei
On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote:
On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote:
Roderick Johnstone via FreeIPA-users wrote:
On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote:
Roderick Johnstone via FreeIPA-users wrote:
On 24/01/2018 15:2
28 matches
Mail list logo