June 2022 - FreeIPA-users - Fedora Mailing-Lists

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

3
4
0 / 0

FreeIPA 4.10.0

by Antonio Torres

The FreeIPA team would like to announce FreeIPA 4.10.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.10.0 * 2016: [RFE] Support random serial numbers in IPA certificates RSN can be enabled in new server installations. * 7404: Incorrect certs are being updated with "ipa-certupdate" ipa-cacert-manage command now supports the "prune" subcommand, that allows to remove the expired CA certificates. === Bug fixes FreeIPA 4.10.0 is a stabilization release for the features delivered as a part of 4.10 version series. There are 7 bug-fixes since FreeIPA 4.9.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on libera.chat. == Resolved tickets * https://pagure.io/freeipa/issue/2016[#2016] [RFE] Support random serial numbers in IPA certificates * https://pagure.io/freeipa/issue/2278[#2278] IPA needs better sudo option validation or better documentation * https://pagure.io/freeipa/issue/7404[#7404] Incorrect certs are being updated with "ipa-certupdate" * https://pagure.io/freeipa/issue/8544[#8544] After reboot: Replication bind with GSSAPI auth failed * https://pagure.io/freeipa/issue/8684[#8684] [WebUI] test_hostgroup::test_names_and_button - timeout reached * https://pagure.io/freeipa/issue/9035[#9035] Nightly failure (rawhide) in test_installation_client.py::TestInstallClient * https://pagure.io/freeipa/issue/9105[#9105] Review usage of quiet flag in ipa-join == Detailed changelog since 4.9.10 === Rob Crittenden (9) * Fix test_secure_ajp_connector.py failing with Python 3.6.8 https://pagure.io/freeipa/c/9a97f9b40[commit] * Add tests for Random Serial Number v3 support https://pagure.io/freeipa/c/d241d7405[commit] https://pagure.io/freeipa/issue/2016[#2016] * Add support for Random Serial Numbers v3 https://pagure.io/freeipa/c/beaa0562d[commit] https://pagure.io/freeipa/issue/2016[#2016] * Add a new parameter type, SerialNumber, as a subclass of Str https://pagure.io/freeipa/c/83be923ac[commit] https://pagure.io/freeipa/issue/2016[#2016] * doc/designs: add Random Serial Numbers v3 support https://pagure.io/freeipa/c/d3481449e[commit] https://pagure.io/freeipa/issue/2016[#2016] * Design for IPA-to-IPA migration https://pagure.io/freeipa/c/d4859db4e[commit] * Re-work the quiet option in ipa-join to not suppress errors https://pagure.io/freeipa/c/61650c577[commit] https://pagure.io/freeipa/issue/9105[#9105] * Improve sudooption docs, make the option multi-value https://pagure.io/freeipa/c/47fbe05f7[commit] https://pagure.io/freeipa/issue/2278[#2278] * Design doc to allow LDAP bind using the RADIUS auth type https://pagure.io/freeipa/c/16ab690bf[commit] === Matthew Davis (1) * Add missing parameter to Suse modify_nsswitch_pam_stack https://pagure.io/freeipa/c/6d6b135ff[commit] === Anuja More (3) * ipatests: Fix install_master for test_idp.py https://pagure.io/freeipa/c/ef091c99f[commit] * Add end to end integration tests for external IdP https://pagure.io/freeipa/c/bd57ff356[commit] * ipatests: update prci definitions for test_idp.py https://pagure.io/freeipa/c/a80a98194[commit] === Timo Aaltonen (2) * ipaplatform/debian: Drop the path for ldap.so https://pagure.io/freeipa/c/808ac46ba[commit] * ipaplatform/debian: Use multiarch path for libsofthsm2.so https://pagure.io/freeipa/c/92d718dbf[commit] === Michal Polovka (5) * ipatests: Healthcheck use subject base from IPA not REALM https://pagure.io/freeipa/c/d3c11f762[commit] * ipatests: Increase expect timeout for interactive mode https://pagure.io/freeipa/c/40b3c11bd[commit] * ipatests: Healthcheck should ignore pki errors when CA is not configured https://pagure.io/freeipa/c/b2bbf8165[commit] * test_webui: test_hostgroup: Wait for modal dialog to appear https://pagure.io/freeipa/c/d0269f236[commit] https://pagure.io/freeipa/issue/8684[#8684] * WebUI: Test if links are opened in new tab correctly https://pagure.io/freeipa/c/89c846a1f[commit] === Florence Blanc-Renaud (9) * xmlrpc tests: updated expected output for preserved user https://pagure.io/freeipa/c/3732349bc[commit] * Preserve user: fix the confusing summary https://pagure.io/freeipa/c/cbc18ff8c[commit] * ipatests: update packages in rawhide test test_installation_client.py https://pagure.io/freeipa/c/4c61b9266[commit] https://pagure.io/freeipa/issue/9035[#9035] * ipatests: revert wrong commit on gating definition https://pagure.io/freeipa/c/4b665ccf2[commit] * Design: Integrate SID configuration into base IPA installers https://pagure.io/freeipa/c/bacddb828[commit] * Doc: add a design template https://pagure.io/freeipa/c/5edf144a7[commit] * ipatests: add test_acme.py in nightly previous https://pagure.io/freeipa/c/96a297f3b[commit] * ipatests: fix incomplete nightly def in nightly_previous https://pagure.io/freeipa/c/296f27dce[commit] * ipatests: fix discrepancies in nightly defs https://pagure.io/freeipa/c/9b2c05aff[commit] === Armando Neto (8) * ipatests: update prci template https://pagure.io/freeipa/c/b3085b830[commit] * ipatests: update definitions for custom COPR nightlies https://pagure.io/freeipa/c/1101b22b5[commit] * ipatests: bump PR-CI rawhide template https://pagure.io/freeipa/c/c780504d4[commit] * ipatests: bump rawhide template for PR-CI https://pagure.io/freeipa/c/d6d413628[commit] * ipatests: Bump PR-CI rawhide template https://pagure.io/freeipa/c/c14d52f43[commit] * ipatests: Bump PR-CI Rawhide template https://pagure.io/freeipa/c/c572697d9[commit] * ipatests: Update gating to Fedora 33 https://pagure.io/freeipa/c/a6b487130[commit] * ipatests: update PR-CI templates to Fedora 33 https://pagure.io/freeipa/c/3e8e83654[commit] === Alexander Bokovoy (3) * Fix use of comparison functions to avoid GCC bug 95189 https://pagure.io/freeipa/c/9043b8d53[commit] * doc/designs: fix formatting in LDAPI autobind design https://pagure.io/freeipa/c/3d809c706[commit] * Contributors: add new contributors to the list https://pagure.io/freeipa/c/bef78d16e[commit] === Mohammad Rizwan (1) * ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg https://pagure.io/freeipa/c/16057898a[commit] === Christian Heimes (2) * Add design for LDAPI autobind https://pagure.io/freeipa/c/5b8f37f88[commit] https://pagure.io/freeipa/issue/8544[#8544] * LDAP autobind authenticateAsDN for BIND named https://pagure.io/freeipa/c/16e1cbdc5[commit] https://pagure.io/freeipa/issue/8544[#8544] === François Cami (1) * ipatests: fix nightly_latest_testing_selinux template https://pagure.io/freeipa/c/87304c78a[commit] === Antonio Torres (2) * ipatests: add test for ipa-cacert-manage prune https://pagure.io/freeipa/c/8a2e6ec32[commit] https://pagure.io/freeipa/issue/7404[#7404] * ipa-cacert-manage: add prune option https://pagure.io/freeipa/c/5d8cb1dd1[commit] https://pagure.io/freeipa/issue/7404[#7404] === Peter Keresztes Schmidt (3) * configure: Do not set -Wno-strict-aliasing -Wno-sign-compare https://pagure.io/freeipa/c/f9357cb98[commit] * build: Unify compiler warning flags used https://pagure.io/freeipa/c/a355646c3[commit] * configure: Fix source tree detection to enable more warnings https://pagure.io/freeipa/c/54b42f72f[commit]

1 year, 3 months

3
3
0 / 0

No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

2
1
0 / 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

1
0
0 / 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

1
0
0 / 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

1
0
0 / 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

1
0
0 / 0

No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

by roy liang

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip... I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 year, 3 months

1
0
0 / 0

keycloak - the other way around?

by lejeczek

Hi guys. I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense? many thanks, L.

1 year, 3 months

4
7
0 / 0

FreeIPA Replica Install Command Failed

by Yannick Djomo

I am out of options here when trying to promote the client to the replica on CentOS 8 Stream. Any guidance will be really helpful. [root@ipa02 ~]# ipa-replica-install--skip-conncheck Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 SeCo [1/38]: creating directory server instance Validate installation settings Create file system structures Perform SELinux labeling ... Create database backend: dc=mydomain, dc=com Perform post-installation tasks [2/38]: tune 1dbm plugin [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configure password logging [7/38]: configuring replication version plugin [8/38]: enabling IPA enrollment plugin [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: configuring topology plugin [16/38]: creating indices [17/38]: enabling referential integrity plugin [18/38]: configuring certmap. conf [19/38]: configure new location for managed entries [20/38]: configure dirsrv cache and keytab [21/38]: enabling SAL mapping fallback [22/38]: restarting directory server [23/38]: creating DS keytab [24/38]: ignore time skew for initial replication [25/38]: setting up initial replication Starting replication, please wait until this has completed [error] SERVER_DOWN: {'result': -1, "desC. "Can't contact DAP server Your system may be partly configured. Run /usr/sbin/ipa-server-install--uninstalltocleanup {'result': -1, "desc’: "Can't contact LDAP server” errno': 4. 'ctrls': Ll, L, 'into': 'Interrupted system call’} Your system may be partly configured. Run /usr/sbin/ipa-server-install--uninstalltocleanup {'result': -1, "desc’: "Can't contact LDAP server”, 'errno': 4. 'ctrls': Ll, ‘info’: ‘Interrupted system call’} The ipa-replica-install command failed. See /var/log/ipareplica-install.log

1 year, 3 months

2
8
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2022