I am having trouble with ntpd on my IPA server. For whatever reason,
chrony seems to work when I manually stop ntpd.
I would like to remove ntpd as an IPA-managed service. I found an old
thread on this list that says I need to remove:
Assuming that this is correct, how do I do that?
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger: 2018-10-22 17:32:14  Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
Where should I start looking to recover from this?
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
I have issued a certificate for an AWS ELB.
The certificate is attached to a psedo-host and service named lb.example.com.
There is a certificate and the certificate ID is 21.
The certificate was created on the FreeIPA server.
(as indicated here https://www.redhat.com/archives/freeipa-users/2015-September/msg00127.html)
I also created 2 more certificates for the back-end servers, installed them and the work just fine when I connect directly to the back-end server.
However, when I connect thought the LB browsers are complaining because the back-end certificate does not contain the DNS name of the LB.
So, I revoked the previous certificates and tried to re-create them via:
sudo ipa-getcert request -f ~/certificates/certs/http_certificate.pem -k ~/certificates/keys/host_key.key -K HTTP/$(hostname -f) -N CN=$(hostname),O=EXAMPLE.COM -g 2048 -D lb.example.com -D host01.example.com -D aws-host01-example.com -D webserver01.example.com
(The command was executed on the back-end servers in order to avoid transferring the files)
The request fails with this error:
ca-error: Server at https://ipa01.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'lb.example.com'.).
Do I get this error because there is a certificate for this service already? If so, how can I bypass this?
If it's not possible, I will recreate the LB certificate and add all DNS names in that, but it's less than ideal since if I add a new server in the future, I will need to re-issue the certificate.