FreeIPA-users June 2026

freeipa-users@lists.fedorahosted.org

7 participants
3 discussions

FreeIPA on VLAN network
by Olivier G 08 Jun '26

08 Jun '26

Hi all, Do you know if there is any issue with the following architecture: * One server connected to multiple VLAN * One FreeIpa replica listening to multiples interfaces on the different VLAN (with each having different IP addresse) * one DNS declaration (with a different application name) per VLAN with associated IP address with associated certificate => The VLAN segregation is managed manually. Ex: I have a freeipa replica named app with: app1.network.local on VLAN1 / IP1 / certificate 1 app2.network.local on VLAN2 / IP2/ certificate 2 Is there a better architecture? Does Kerberos will have issues with this configuration? Thanks for reading. Olivier

2 3

New users can't log in with expired passwords
by Aram Akhavan 04 Jun '26

04 Jun '26

As documented in https://www.freeipa.org/page/New_Passwords_Expired I can see that when an admin creates a new user or resets a password, it is immediately expired. Users can log in and immediately change it. However, I'm unable to get that to work whether from the web gui, ssh, or anything else. I've created a test user with admin privileges; it's password is expired. I try logging into the web UI, and it says "The password or username you entered is incorrect", nothing about an expired password (I know the password is right!). The response header of the GUI POST request has X-IPA-Rejection-Reason: invalid-password, not X-IPA-Rejection-Reason: password-expired as is suggested here: https://github.com/freeipa/freeipa-webui/discussions/29 If I log in to the ipa server with my own user account (which somehow, I managed to create and use without issue...), and try to do an `su test`, I see krb5_child complain: Password has expired. It seems impossible to log in with an expired password. Yet my own user account was created, so presumably I changed some setting but I can't for the life of me figure out what I changed. Thanks for the help!

3 5

Can't renew certs automatically
by Duc Tran Ngoc 04 Jun '26

04 Jun '26

Hello all, When I run "getcert list" cmd, I see these 4 certs that will be expired on 20 days and cannot be renewed automatically. Can anyone help me? Request ID '20260309084023': status: MONITORING ca-error: Server at https://hostname.domain.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'IPA RA' does not match name or aliases of principal 'host/hostname.domain.com(a)DOMAIN.COM'). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=IPA RA,O=DOMAIN.COM issued: 2024-07-02 08:47:04 UTC expires: 2026-06-22 08:47:04 UTC key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20260309084024': status: MONITORING ca-error: Server at https://hostname.domain.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'CA Audit' does not match name or aliases of principal 'host/hostname.domain.com(a)DOMAIN.COM'). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM issued: 2024-07-02 08:46:01 UTC expires: 2026-06-22 08:46:01 UTC key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20260309084025': status: MONITORING ca-error: Server at https://hostname.domain.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'OCSP Subsystem' does not match name or aliases of principal 'host/hostname.domain.com(a)DOMAIN.COM'). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=OCSP Subsystem,O=DOMAIN.COM issued: 2024-07-02 08:45:43 UTC expires: 2026-06-22 08:45:43 UTC eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20260309084026': status: MONITORING ca-error: Server at https://hostname.domain.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'CA Subsystem' does not match name or aliases of principal 'host/hostname.domain.com(a)DOMAIN.COM'). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Subsystem,O=DOMAIN.COM issued: 2024-07-02 08:45:55 UTC expires: 2026-06-22 08:45:55 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes

3 4

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2026