Hi all,
I'm having serious issues with our FreeIPA setup and I need some direction.
Our FreeIPA setup had two master-replicas. Late last month one of the hypervisors at OVH died, they replaced hardware but the server is having issues so hasn't come up yet. So for all matters, one master-replica is dead. The original master was configured with letsencrypt-freeipa which failed to renew certificates.
There are around 10 clients connected to it, and several services authenticate against it. One for example is Gitlab, but I am still able to login to Gitlab. Another example we have a number of pfSense routers that also use LDAP auth and that always fails we had to fallback to the local admin user. One of the most critical services is the DNS. When DNS goes down, everything goes down, including email. This is currently one of the most critical services.
ipactl always fails. I have to manually start the services using systemctl, like `systemctl start {named-pkcs11,httpd,ipa-custodia,ipa-dnskeysyncd,ipa-ods-exporter,ods-enforcerd,krb5kdc,kadmin}`
getcert list returns 7 certificates, all MONITORING, none expired.
# getcert list -d /etc/httpd/alias -n ipaCert No request found that matched arguments.
I can run ldap commands on the cli.
ALL ipa commands fail: # ipa userlist ipa: ERROR: cannot connect to 'any of the configured servers': https://main.domain.io/ipa/json, https://secondary.domain.io/ipa/json
# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
DSTRootCAX3 C,, CN=main.domain.io u,u,u letsencryptx3 C,, letsencryptx3 C,, ISRGRootCAX1 C,, DOMAIN.IO IPA CA CT,C,
the ipa-cert-fix command with increased verbosity:
``` ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n transportCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n storageCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 100, in run certs, extra_certs = expired_certs(now) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 142, in expired_certs return expired_dogtag_certs(now), expired_ipa_certs(now) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 191, in expired_ipa_certs cert = db.get_cert('Server-Cert') File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in get_cert raise RuntimeError("Failed to get %s" % nickname)
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert ipapython.admintool: ERROR: Failed to get Server-Cert ipapython.admintool: ERROR: The ipa-cert-fix command failed. ```
I thought this command was to fix the certificates, so I don't get it why it fails if one certificate is missing. But anyway, can someone PLEASE give me some help I'm not great with certificates and I'm not being able to fix this.
If there's a way of creating a new master from start and then importing the data would be nice, but looking at ipa-backup/restore it clearly says it has to be the same server.
# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u DSTRootCAX3 C,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu letsencryptx3 C,, letsencryptx3 C,, ISRGRootCAX1 C,,
On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote:
# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u DSTRootCAX3 C,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu letsencryptx3 C,, letsencryptx3 C,, ISRGRootCAX1 C,, _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
ipa-cert-fix man page explicitely states that it cannot renew certificates signed by external CAs:
----- 8< ----- This tool cannot renew certificates signed by external CAs. To install new, externally-signed HTTP, LDAP or KDC certificates, use ipa-server- certinstall(1). ----- >8 -----
In your case, you need to use the ipa-server-certinstall command to replace the expired letsencrypt certs: - change the date on the server to a date when the certificate was still valid - start IPA services (except ntpd/chronyd, otherwise the date will be reset) - use ipa-server-certinstall as described in "Installing Third-Party Certificates for HTTP or LDAP" [1] with the new certificates - set the date back to the real current date
A few additional tips: - when some services fail to start and trigger the shutdown of the whole IPA stack, you can use the --ignore-service-failures option of ipactl: # ipactl start --ignore-service-failures
- ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem}
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Hi Florence,
Thank you so much for your reply.
I have some questions regarding your instructions.
1. ipactl start --ignore-service-failures doesn't work, it leaves most services down and I must use systemctl to bring them up.
# sudo ipactl restart --ignore-service-failures IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ods-enforcerd Service Stopping ipa-ods-exporter Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ntpd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
then I have to start manually using the systemctl command I put before.
Also is there a way to use ipactl to start manually a specified service?
2. what procedure should I use to get a ssl.crt?
# find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt #
I think I was using the wrong letsencrypt-freeipa I was using the one here https://github.com/antevens/letsencrypt-freeipa but now I see there's another here https://github.com/freeipa/freeipa-letsencrypt with more recent updates. How do I "replace" them? Many thanks!!
Ricardo Mendes via FreeIPA-users wrote:
Hi Florence,
Thank you so much for your reply.
I have some questions regarding your instructions.
- ipactl start --ignore-service-failures doesn't work, it leaves most services down and I must use systemctl to bring them up.
# sudo ipactl restart --ignore-service-failures IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ods-enforcerd Service Stopping ipa-ods-exporter Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ntpd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
then I have to start manually using the systemctl command I put before.
It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed.
Also is there a way to use ipactl to start manually a specified service?
No.
- what procedure should I use to get a ssl.crt?
# find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt #
ssl.crt is just a generic name, IPA doesn't use it. Each certificate that IPA issues has its own unique name. You'd need to look per-service where the certificate is stored and what is named. The certmonger output will help with this:
# getcert list
Note that this will include the certificates used by the IPA CA.
I think I was using the wrong letsencrypt-freeipa I was using the one here https://github.com/antevens/letsencrypt-freeipa but now I see there's another here https://github.com/freeipa/freeipa-letsencrypt with more recent updates. How do I "replace" them?
These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA.
rob
Hi Rob,
Thanks a lot for your reply.
It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed.
Amazing! So I turned back the clock and:
# ipactl restart --ignore-service-failure --skip-version-check Skipping version check Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Forced restart, ignoring pki-tomcatd Service, continuing normal operation Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ods-enforcerd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
I did as Florence said and set the time back. Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary and ran setup-le.sh
It shows some errors like, I am including the full output here: https://pastebin.com/S07vqXLy
In the end has this:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224 ipapython.admintool: INFO: The ipa-certupdate command was successful Error opening Private Key /var/lib/ipa/private/httpd.key 139927634605968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r') 139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key
These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA.
I am assuming the script from antevens uses DNS. But how can it not matter if someone is using an up to date version of freeipa and Florence mentioned
- ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem}
So if this has changed and the scripts of that letsencrypt repo haven't been edited in over an year, is it supposed to work? Or is it not compliant with the latest IPA versions?
Btw, after setup-le.sh finished I set the time back and rebooted the server. It seems like now it's not coming up at all ..... I'll have to VNC to it and see what happened....
Ok so I don't know what happened the server really did take a long time to come up but it did.
Everything looks pretty much the same. The setup-le.sh command I ran that said
The ipa-certupdate command was successful
But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st.
I tried to run renew-le and I get this error:
# bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate
Ricardo Mendes via FreeIPA-users wrote:
Ok so I don't know what happened the server really did take a long time to come up but it did.
Everything looks pretty much the same. The setup-le.sh command I ran that said
The ipa-certupdate command was successful
But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st.
I tried to run renew-le and I get this error:
# bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate
That's the incompatibilities I mentioned. I think if you pop the top one or two commits off then it will start to work again. Look for a commit that's like "switch to mod_ssl" and pop that off.
rob
Hi Rob,
Again thanks for your reply. So I got went to the commit that lasted from 2017 and re-ran setup-le.sh Output is here:
In the end I get this error:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140213913461328 ipapython.admintool: INFO: The ipa-certupdate command was successful certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
If I try renew-le
# bash renew-le.sh certutil: could not find certificate named "Server-Cert": PR_FILE_NOT_FOUND_ERROR: File not found certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
(btw https://lists.fedoraproject.org is down)
Ricardo Mendes via FreeIPA-users wrote:
Ok so I don't know what happened the server really did take a long time to come up but it did.
Everything looks pretty much the same. The setup-le.sh command I ran that said
The ipa-certupdate command was successful
But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st.
I tried to run renew-le and I get this error:
# bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate
That's the incompatibilities I mentioned. I think if you pop the top one or two commits off then it will start to work again. Look for a commit that's like "switch to mod_ssl" and pop that off.
rob
On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote:
Hi Rob,
Thanks a lot for your reply.
It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed.
Amazing! So I turned back the clock and:
# ipactl restart --ignore-service-failure --skip-version-check Skipping version check Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Forced restart, ignoring pki-tomcatd Service, continuing normal operation Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ods-enforcerd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
I did as Florence said and set the time back. Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary and ran setup-le.sh
It shows some errors like, I am including the full output here: https://pastebin.com/S07vqXLy
In the end has this:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224 ipapython.admintool: INFO: The ipa-certupdate command was successful Error opening Private Key /var/lib/ipa/private/httpd.key 139927634605968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r') 139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key
The version of freeipa-letsencrypt that you are using is written for IPA 4.7+, with httpd's private key stored in /var/lib/ipa/private/httpd.key.
From your earlier messages it looks like you're using ipa 4.6, meaning that httpd is configured with mod_nss (ie getting its cert/key from a NSS database) instead of mod_ssl (ie getting its cert/key from a file). In this case you should use an earlier version of freeipa-letsencrypt, before the following commit: cfaf511 Move from mod_nss to mod_ssl
HTH, flo
These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA.
I am assuming the script from antevens uses DNS. But how can it not matter if someone is using an up to date version of freeipa and Florence mentioned
- ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem}
So if this has changed and the scripts of that letsencrypt repo haven't been edited in over an year, is it supposed to work? Or is it not compliant with the latest IPA versions?
Btw, after setup-le.sh finished I set the time back and rebooted the server. It seems like now it's not coming up at all ..... I'll have to VNC to it and see what happened.... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Florence,
Thank you for your reply. Rob had pointed me on that direction but now when I try to run the setup-le script with that version I get the following error:
1. ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. 2. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140213913461328 3. ipapython.admintool: INFO: The ipa-certupdate command was successful 4. certutil: Server-Certisneither a key-typenor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
And the correct setup of certificates fails.
Using the freeipa-letsencrypt commit 601f03b before "Move from mod_nss to mod_ssl". Not sure what to do next.
On 11/06/2020 08:31, Florence Blanc-Renaud wrote:
On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote:
Hi Rob,
Thanks a lot for your reply.
It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed.
Amazing! So I turned back the clock and:
# ipactl restart --ignore-service-failure --skip-version-check Skipping version check Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Forced restart, ignoring pki-tomcatd Service, continuing normal operation Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ods-enforcerd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
I did as Florence said and set the time back. Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary and ran setup-le.sh
It shows some errors like, I am including the full output here: https://pastebin.com/S07vqXLy
In the end has this:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224 ipapython.admintool: INFO: The ipa-certupdate command was successful Error opening Private Key /var/lib/ipa/private/httpd.key 139927634605968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r') 139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key
The version of freeipa-letsencrypt that you are using is written for IPA 4.7+, with httpd's private key stored in /var/lib/ipa/private/httpd.key.
From your earlier messages it looks like you're using ipa 4.6, meaning that httpd is configured with mod_nss (ie getting its cert/key from a NSS database) instead of mod_ssl (ie getting its cert/key from a file). In this case you should use an earlier version of freeipa-letsencrypt, before the following commit: cfaf511 Move from mod_nss to mod_ssl
HTH, flo
These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA.
I am assuming the script from antevens uses DNS. But how can it not matter if someone is using an up to date version of freeipa and Florence mentioned
- ipaCert is not stored any more in the NSS database
/etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem}
So if this has changed and the scripts of that letsencrypt repo haven't been edited in over an year, is it supposed to work? Or is it not compliant with the latest IPA versions?
Btw, after setup-le.sh finished I set the time back and rebooted the server. It seems like now it's not coming up at all ..... I'll have to VNC to it and see what happened.... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org