Hello,
[root@srv01 lib]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Certificate Authority - EXAMPLE.COM CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu [root@ds01 lib]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Certificate Authority - EXAMPLE.COM' | grep -i after Not After : Thu Aug 03 19:28:18 2034
Is "Certificate Authority - EXAMPLE.COM" valid entry here? this Not After date is of our older CA certificate, which we was replaced couple years ago. can this entry be deleted?
the "caSigningCert cert-pki-ca" is the current CA with valid dates.
thank you for your help. Rgwards, Bhavin
________________________________ From: Bhavin Vaidya via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Monday, March 23, 2020 1:28 PM To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Bhavin Vaidya bvaidya@hotmail.com Subject: [Freeipa-users] Re: Expired Certificates, rolling back time didn't help
Hello,
We carried out following steps, but certificates will still not renew.
stop ntpd fall back to 2018-05-11 (Mar 11th, 2018) ipactl stop started all but ntpd service manually systemctl restart certomonger
Waited for more than an hour, but certificates still didn't get update. Now our other IPA server's some certiicated also expired.
I'm seeing 2 IPA certificates in following output, as earlier we had issue with loosing master CA server and we retain older certificate it seems.
Can this be an issue?
[root@srv01 log]# /usr/bin/certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
EXAMPLE.COM IPA CA-0 CT,C,C
EXAMPLE.COM IPA CA CT,C,C
[root@srv01 log]#
[root@srv01 ~]# certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert CTu,Cu,Cu
EXAMPLE.COM IPA CA CT,C,C
[root@srv01 ~]#
thank you for your support. regards, Bhavin
________________________________ From: Florence Blanc-Renaud flo@redhat.com Sent: Tuesday, March 17, 2020 4:26 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Bhavin Vaidya bvaidya@hotmail.com Subject: Re: [Freeipa-users] Re: Expired Certificates, rolling back time didn't help
On 3/17/20 11:44 AM, Bhavin Vaidya via FreeIPA-users wrote:
Hello Flo,
thank you for your response.
[root@srv01 ~]# ipa config-show | grep renewal IPA CA renewal master: srv01.arteris.com
We followed following step, but Certificates will not renew.
Stopped NTP and went back to 2018-05-11 systemctl restart certmonger.service
no luck, so we did
Stopped NTP and went back to 2018-05-11 systemctl restart certmonger.service stopped FreeIPA - ipactl stop Started services manually as per this RedHat doc https://access.redhat.com/solutions/3146271. getcert list ---- shows either SUBMITTING, CA_UNREACHABLE or NEED_TO_SUBMIT
Hi, you need to wait a while for certmonger to renew all the certs. As the new output shows, some progress was made: the LDAP certificate was renewed. You can try: getcert resubmit -i 20180315021503 then wait for the RA cert to move to MONITORING and do the same for each cert that needs to be renewed (resubmit, wait for the cert to move to MONITORING, etc...).
flo
[root@srv01 ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20180228053337':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=srv01.example.com,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2021-01-11 21:56:57 UTC
principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180315021457':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-02-25 04:27:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021500':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:28:38 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021501':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent-reuse
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021503':
status: CA_UNREACHABLE
ca-error: Error 28 connecting to https://srv01.example.com:8443/ca/agent/ca/profileReview: Timeout was reached.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180315021505':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-05-12 01:41:53 UTC
principal name: ldap/srv01.example.com@EXAMPLE.COM mailto:ldap/srv01.example.com@EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180315021510':
status: NEED_TO_SUBMIT
ca-error: Server at https://srv01.example.com/ipa/xmlfailed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining:Peer's Certificate has expired.).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:51 UTC
principal name: HTTP/srv01.example.com@EXAMPLE.COM mailto:HTTP/srv01.example.com@EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Thank you and with regards, Bhavin
*From:* Florence Blanc-Renaud flo@redhat.com *Sent:* Tuesday, March 17, 2020 1:17 AM *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Bhavin Vaidya bvaidya@hotmail.com *Subject:* Re: [Freeipa-users] Expired Certificates, rolling back time didn't help On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote:
Hello,
We had similar issue 2 yrs back, and resurface as it didn't auto-renew. Went back in time to 2016-06-11 as well as 2020-02-20, restarted "certmonger", didn't update.
Hi,
you need to check first which server is your renewal master:
$ kinit admin
$ ipa config-show | grep renewal
The output should display the name of the renewal master. This host is the first server that needs to be fixed.
In the getcert list output that you provided, we can see that:
- the PKI certificates shared between the servers expired on 2020-02-25
(auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, subsystemCert cert-ki-ca)
the CA cert is still valid
the RA cert expired on 2018-06-15
the HTTP and LDAP server certs expired on 2020-03-07
You need to carefully pick the date you go back in time: at that given date, all the certs must be valid (not expired yet but *already valid*). From your output, the date needs to be before 2018-06-15 but after 2018-03-08 (=the validFrom date for the PKI certs).
HTH,
flo
FreeIPA Master:*CentOS 7.4.1708, FreeIPA Version: **4.5.0, API_VERSION: 2.228*
whileipactl start, it will not start pki-tomcat with message,pki-tomcatd Service: STOPPED.
Referring toRob's blog https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/
[root@srv01 ~]# curl --cacert /etc/ipa/ca.crt -v[https://%60hostname%60:8443/ca/ww/ca/getCertChain%5Dhttps://%60hostname%60:8...
- About to connect() to srv01.example.com port 8443 (#0)
*Trying 192.168.10.146...
Connected to srv01.example.com (192.168.10.146) port 8443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
*CAfile: /etc/ipa/ca.crt
CApath: none
- Server certificate:
*subject: CN=srv01.example.com,O=EXAMPLE.COM
*start date: Dec 26 21:02:44 2016 GMT
*expire date: Dec 16 21:02:44 2018 GMT
*common name: srv01.example.com
*issuer: CN=Certificate Authority,O=EXAMPLE.COM
NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the user.
Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here:http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isn't adequate, you can specify an alternate fileusing the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, usethe -k (or --insecure) option.
While, CA cert check asper https://www.freeipa.org/page/V4/CA_certificate_renewal,
[root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
We also have few others certificates, which are not renewed.
[root@srv01 ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20180228053337':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=srv01.example.com,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2021-01-11 21:56:57 UTC
principal name:krbtgt/EXAMPLE.COM@EXAMPLE.COM mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180315021457':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-02-25 04:27:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021500':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:28:38 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021501':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021503':
status: CA_UNREACHABLE
ca-error: Error 60 connecting tohttps://srv01.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180315021505':
status: CA_UNREACHABLE
ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request, will retry: 4016 (RPC failed at server.Failed to authenticate to CA REST API).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd
file.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:36 UTC
principal name:ldap/srv01.example.com@EXAMPLE.COM mailto:ldap/srv01.example.com@EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180315021510':
status: CA_UNREACHABLE
ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request, will retry: 4016 (RPC failed at server.Failed to authenticate to CA REST API).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:51 UTC
principal name:HTTP/srv01.example.com@EXAMPLE.COM mailto:HTTP/srv01.example.com@EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
thank you for your help. Bhavin
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org