On 01-10-2020 20:33, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
No. Only the renewal master should attempt renewing the certificates.
That conflicts with a remark from Florence in a thread with the subject "Replica not renewing IPA certificates" in January this year on this mailing list.
"Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit."
and the feedback from Roderick was
"Thank you very much! The getcert resubmit has successfully renewed all the certificates in need of renewal."
I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use it?
And, if not, how is the renewal re-triggered (assuming I have manually patched /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie problem). Restarting certmonger did not help. Restarting all of IPA did not help. -- Kees
The cookie error was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1788907
A description of what is happening is at https://github.com/freeipa/freeipa/commit/b5b9efeb57c010443c33c6f14f831abdbd...
Try restarting certmonger.
rob
On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote:
**** EXTERNAL E-MAIL ****
On the non-renewal masters there are 4 certificates that show "ca-error: Invalid cookie: u''"
Request ID '20181127141739': ca-error: Invalid cookie: u'' subject: CN=IPA RA,O=GHS.NL expires: 2020-10-26 20:15:48 UTC Request ID '20181127141749': ca-error: Invalid cookie: u'' subject: CN=CA Audit,O=GHS.NL expires: 2020-10-26 20:15:32 UTC Request ID '20181127141750': ca-error: Invalid cookie: u'' subject: CN=OCSP Subsystem,O=GHS.NL expires: 2020-10-26 20:15:31 UTC Request ID '20181127141751': ca-error: Invalid cookie: u'' subject: CN=CA Subsystem,O=GHS.NL expires: 2020-10-26 20:15:32 UTC
All of them are "system certificates" that are already renewed on the CA Renewal Master.
How do I get these renewed? I don't like to run whatever command, because I'm too scared to break the system for good. -- Kees
On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote:
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...