light sub-cas crl / ocsp urls
by Natxo Asenjo
hi,
at work I am testing using a light sub-ca with openvpn to limit the scope
of hosts that can auto request a certificate.
So far so good, really impressed with how well it works.
The question I cannot answer is: are there specific urls for crl/ocsp for
sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
Thanks for your support.
Regards,
--
Groeten,
natxo
5 years, 2 months
Re: [systemd-devel] systemctl condreload - Is it a thing?
by Ian Pilcher
On 1/30/19 10:11 AM, Andy Pieters wrote:
> man page on Centos
> try-restart PATTERN...
> Restart one or more units specified on the command line if
> the units are running. This does nothing if units are not running.
> Note that, for compatibility with Red Hat init
> scripts, condrestart is equivalent to this command.
Yes, but I'm asking about condreload (not condrestart).
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
5 years, 2 months
certmonger with certs/keys not owned by root
by Ian Pilcher
I am setting up FreeRADIUS on my "network server" at home, which also
runs FreeIPA. Naturally, I would like to use certmonger to issue,
track, and renew the certificate(s) used by FreeRADIUS.
Unfortunately, ipa-getcert only works when run as root, and it writes
the certificate and key files as root/0600, leaving them unreadable by
radiusd. I can obviously change the permissions of the files, but
certmonger will presumably reset them when it renews the certificate.
I feel like I must be missing something obvious. certmonger must be
usable with services that run as a non-root user, right?
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
5 years, 2 months
LDAP account for service
by Ian Pilcher
Continuing my adventures with FreeRADIUS ...
It seems that there's no escaping the need to create a dedicated LDAP
user for FreeRADIUS, so that it can see group membership information.
I've already created a FreeIPA service -
radius/ipa.example.com(a)EXAMPLE.COM - so that I could issue a certificate
for PEAP and monitor it with certmonger. (Yes, FreeRADIUS is running on
the same server as FreeIPA.)
Is it possible to somehow create a "service user" associated with this
service that FreeRADIUS can use as an LDAP login?
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
5 years, 2 months
Expired Certificates.
by Bhavin Vaidya
Hello,
We rebooted our Primary FreeIPA server (ds01) and then it will not start pki-tomcatd, Kerberos will also not work, though it starts.
We realized that 2 certificates have expired.
we tried stopped ipa, stopped NTP, going back to Dec 14th, 2018 and restarted certmonger, bring back date but still no luck.
this is our primary, and we do have 2 local and 2 remote FreeIPA server on them only one of the certificate (June 15th, 2018) is showing expired and others are good.
Do we have to go back on date before June 15th, 2018 on ds01?
Details are:
[root@ds01 ~]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
[root@ds01 ~]# ipa ca-find
------------
1 CA matched
------------
Name: ipa
Description: IPA CA
Authority ID: 606<...........SNIP..........>450
Subject DN: CN=Certificate Authority,O=DOMAIN.COM
Issuer DN: CN=Certificate Authority,O=DOMAIN.COM
----------------------------
Number of entries returned 1
----------------------------
[root@ds02 ~]# ipa ping
-------------------------------------------
IPA server version 4.5.0. API version 2.228
[root@ds01 ~]# KRB5_TRACE=/dev/stdout kinit admin
[5509] 1547598366.261229: Getting initial credentials for admin(a)DOMAIN.COM
[5509] 1547598366.267532: Sending request (171 bytes) to DOMAIN.COM
[5509] 1547598366.268593: Resolving hostname ds01.domain.com
[5509] 1547598366.269479: Sending initial UDP request to dgram 192.1xx.xxx.xxx:88
[5509] 1547598367.270712: Initiating TCP connection to stream 192.1xx.xxx.xxx:88
[5509] 1547598367.270884: Sending TCP request to stream 192.1xx.xxx.xxx:88
[5509] 1547598372.338780: Received answer (171 bytes) from dgram 192.1xx.xxx.xxx:88
[5509] 1547598372.338841: Terminating TCP connection to stream 192.1xx.xxx.xxx:88
[5509] 1547598372.338989: Response was from master KDC
[5509] 1547598372.339095: Received error from KDC: -1765328324/Generic error (see e-text)
kinit: Generic error (see e-text) while getting initial credentials
[root@ds01 ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20180228053337':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ds01.domain.com,O=DOMAIN.COM
subject: CN=ds01.domain.com,O=DOMAIN.COM
expires: 2019-03-07 06:24:12 UTC
principal name: krbtgt/DOMAIN.COM(a)DOMAIN.COM
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180315021457':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2020-02-25 04:27:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021500':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2020-02-25 04:28:38 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021501':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021503':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180315021504':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ds01.domain.com,O=DOMAIN.COM
expires: 2018-12-16 21:02:44 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021505':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ds01.domain.com,O=DOMAIN.COM
expires: 2020-03-07 08:49:36 UTC
principal name: ldap/ds01.domain.com(a)DOMAIN.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM
track: yes
auto-renew: yes
Request ID '20180315021510':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ds01.domain.com,O=DOMAIN.COM
expires: 2020-03-07 08:49:51 UTC
principal name: HTTP/ds01.domain.com(a)DOMAIN.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
thank you,
Bhavin
5 years, 2 months
Unable to migrate IPA3 to IPA4
by Robert Alba
Having Cert issues on a centos 6 IPA 3 server
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)
ipa config-mod --enable-migration=TRUE
ipa: ERROR: cannot connect to u'https://lax4ipa01.mia.bill1st.local/ipa/xml': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
Old server, pretty much cant register any new clients to. Willing to pay for support for migration help.
Version/Release/Distribution
ipa-server-3.0.0-47.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-3.0.0-47.el6.centos.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-47.el6.centos.x86_64
ipa-server-selinux-3.0.0-47.el6.centos.x86_64
device-mapper-multipath-0.4.9-87.el6.x86_64
libipa_hbac-1.12.4-47.el6.x86_64
libipa_hbac-python-1.12.4-47.el6.x86_64
device-mapper-multipath-libs-0.4.9-87.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
ipa-client-3.0.0-47.el6.centos.x86_64
root@lax4ipa01.mia.bill1st:~$ cat /etc/ipa/ca.crt
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKExFNSUEu
QklMTDFTVC5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE0MTEyNTE4MzgxN1oXDTM0MTEyNTE4MzgxN1owPDEaMBgGA1UEChMRTUlBLkJJ
TEwxU1QuTE9DQUwxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXgRpqEULf5v40kMxTtEooRBlEu
u8Kl1LyhXD5Oyvx4qpe7dQTM2EWKel7zm3j0Q2MP7utzTydxF4j4GToT8vlRdDXj
gdZjBpV7qbCc/t6OVF7sAhqY6Hz5Gghx9UTZ3euGJcBC0rcWQPWjSQi4GFA06I1v
MzoWWPoK/dY93eUgEnqXn1hdiD/ediPC5bXsgsERvKBl5LZ6xpbLYmpoNYeAh1KQ
Yg3Wyluj1yel5f+qYTkm/I6UJxT3EHS2grEXizkOWWfuyNguWPKzsuLop3U7iz7K
AycUAcxLVF1X1OxXIczlPv4hF91shwIUluIWBvhjfUttuAxp17Wt9eiGgbUCAwEA
AaOBrzCBrDAfBgNVHSMEGDAWgBR0Qg2UtrPixTY+00wdObnpJGsxazAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUdEINlLaz4sU2PtNM
HTm56SRrMWswSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8vbGF4
NGlwYTAxLm1pYS5iaWxsMXN0LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQEL
BQADggEBAGNJYJGde8xLSkzSaJo4Q70PDP8gFOVq3x0FK59mkA/eEpV5HsPfbhWh
FcH/T3m5etycX/lh52Y2lYuf4rULJEdEbrFhZmj8u3yd3IOrHCp4oLTb2RIr3EU/
YxNvt0Rq1+tQ7+wrrwZkltpOkZRb54N6JYf1D8SYOfo5278LcwOucHRscfMdtOzu
+QRXwLD8+ifV0OCHdpDw2LyV1H3JnuvzEAlBy3uKvcXPO6qzhPuVyb62JK3+gdtV
6leBi5t9kFbYN5utfjRGy5eABLbTbiCz+100jbKDiBkGBXmVduQeXbP4nvkiQM5w
mnAdvxgn1cNpeNhlYd//D60k5ckE0Us=
-----END CERTIFICATE-----
root@lax4ipa01.mia.bill1st:~$ certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ipaCert u,u,u
MIA.BILL1ST.LOCAL IPA CA CT,C,C
getcert list
Number of certificates and requests being tracked: 8.
Request ID '20141125183905':
status: MONITORING
ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...".
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=CA Audit,O=MIA.BILL1ST.LOCAL
expires: 2018-10-08 17:15:13 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20141125183906':
status: MONITORING
ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...".
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=OCSP Subsystem,O=MIA.BILL1ST.LOCAL
expires: 2018-10-08 17:14:13 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20141125183907':
status: MONITORING
ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...".
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=CA Subsystem,O=MIA.BILL1ST.LOCAL
expires: 2018-10-08 17:14:13 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20141125183908':
status: MONITORING
ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...".
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=IPA RA,O=MIA.BILL1ST.LOCAL
expires: 2018-10-08 17:14:13 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20141125183909':
status: MONITORING
ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...".
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL
expires: 2018-10-08 17:14:13 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141125183922':
status: CA_UNREACHABLE
ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL
expires: 2018-10-30 17:14:19 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MIA-BILL1ST-LOCAL
track: yes
auto-renew: yes
Request ID '20141125183953':
status: CA_UNREACHABLE
ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL
expires: 2018-10-30 17:14:22 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20141125184220':
status: CA_UNREACHABLE
ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL
subject: CN=lax4ipa01.lax.bill1st.local,O=MIA.BILL1ST.LOCAL
expires: 2019-05-03 14:41:19 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
root@lax4ipa01.mia.bill1st:~$
5 years, 2 months
FreeIPA server has no UID range
by Ian Pilcher
Many moons ago I migrated my home FreeIPA server from CentOS 6 to CentOS
7 via replication. I've just tried to create a new user for the first
time since, and I hit:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
failed! Unable to proceed.
I've found a few old mailing list messages that explain the reason that
this happened, so I know that I need to create a "dnarange", but I
haven't found anything that shows me exactly how to do that, or what the
range should be. (Since I only have a single server, I would think that
the default would be fine.)
Any pointers would be appreciated.
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
5 years, 2 months
"floating IP" / HA IPA <= and Win AD one-way trust
by lejeczek
hi gents,
I wonder if IPA when setup up on an "isolated" network segment, having
one single point of communicating with outside, which specifically means
Win AD, would established a trust and work okey later.
A briefly sketched example...
1st IPA master 2nd & 3rd all on 10.10.10.0/24, with pacemaker/HA
floating one IP between IPAs masters on 192.168.2.0, which is where
whole Win AD is(and the rest of intranet).
DNS is where the devil is, details. Can it be done?
I read that zone views are discouraged and I do not think IPA's DNS
support those anyway.
Can DNS be "completed" without harming IPA in a way that incoming trust
from AD can be achieved in above scenario?
many thanks, L.
5 years, 2 months
IPA Infrastructure Design Question with multiple IPA Clusters
by TomK
Suppose I have the following scenario:
AD DC Cluster = b.a ( user: b.a\jack )
IPA Cluster 01 = c.b.a
IPA Cluster 02 = d.b.a
IPA Cluster 03 = e.b.a
If I setup all 3 IPA clusters as subdomains of b.a, I know each one can
establish a trust with the AD DC and I can authenticate as 'b.a\jack'
through servers connected to each cluster.
But if I want to do something like this (just theoretical):
AD DC Cluster = b.a ( user: b.a\jack )
IPA Cluster 01 = c.b.a
IPA Sub Cluster 01 = d.c.b.a
IPA Sub Cluster 02 = e.c.b.a
Meaning only c.b.a has a trust with the AD DC Cluster but d.c.b.a and
e.c.b.a don't have a direct trust with the AD DC however c.b.a forwards
anything on 'd' and 'e' over to the sub clusters.
Can the IPA Cluster 01 'delegate' the AD DC trust to the sub IPA
clusters? I imagine it's not possible.
If by chance it is, what would I need to do to make that work? Guessing
allowing the AD DC to trust the subdomains would be one of the things I
need to do. But what else?
--
Regards,
TK
-------------------------------------------------------------------------------------
5 years, 2 months