[Freeipa-users] Let's Encrypt along with FreeIPA
Joseph Flynn
jjflynn22 at gmail.com
Mon Dec 5 16:58:59 UTC 2016
Thank you Tomas, those two do seem to be the same. I will try a fresh VM
(is there a particular distribution that you've had the best luck with?)
and try again.
sudo openssl x509 -text -in /root/ipa-le/ca/DSTRootCAX3.pem | grep
'Subject:'
sudo openssl x509 -text -in /root/ipa-le/ca/LetsEncryptAuthorityX3.pem |
grep 'Issuer:'
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
[jjflynn22 at ipa-1 ~]$ sudo certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
DSTRootCAX3 C,,
ipaCert u,u,u
Server-Cert u,u,u
KKGPITT.ORG IPA CA CT,C,C
On Mon, Dec 5, 2016 at 11:51 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
> Please keep freeipa-users at redhat.com in CC.
>
> On 12/05/2016 05:23 PM, Joseph Flynn wrote:
>
> By the way Tomas, can you recommend a good read to better understand how
> all of these certs play together in an architecture like this? I'm quite
> confident in Linux usage an admin but must admit this is not quite clear to
> me.
>
> The chain of trust on the Let's Encrypt side is explained in
> https://letsencrypt.org/certificates/ On the FreeIPA side, there are some
> articles on our wiki page related to Public Key Infrastructure, for example
> http://www.freeipa.org/page/PKI
>
>
> On Mon, Dec 5, 2016 at 11:19 AM, Joseph Flynn <jjflynn22 at gmail.com> wrote:
>
>> Thank you for responding Tom.
>>
>> I created the CentOS 7 VM earlier in the week and did its updates and set
>> the hostnames, etc and took a snapshot. I also tried on Ubuntu first but
>> that had too many install hiccups.
>>
>> From that snapshot I have tried several times with the same results as
>> recently as yesterday.
>>
>> Here is the output of your suggestion:
>>
>> [jjflynn22 at ipa-1 ~]$ sudo certutil -d /etc/httpd/alias/ -L
>> [sudo] password for jjflynn22:
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> DSTRootCAX3 C,,
>> ipaCert u,u,u
>> Server-Cert u,u,u
>> KKGPITT.ORG IPA CA CT,C,C
>>
> This seems correct, however this information can be misleading if
> DSTRootCAX3 was installed in FreeIPA before.
>
> The last thing I can think of is to verify that the Subject Field of
> DTSRootCAX3 is in fact the same as the Issuer Field in the LetsEncryptAuthorityX3
> certificate. I've checked the ones that are used in the git repo and they
> are correct, so I can't see how this could be the issue, but just to verify:
>
> openssl x509 -text -in /root/ipa-le/ca/DSTRootCAX3.pem | grep 'Subject:'
> openssl x509 -text -in /root/ipa-le/ca/LetsEncryptAuthorityX3.pem | grep
> 'Issuer:'
>
> If that doesn't reveal any difference, I'd suggest to attempt to reproduce
> the issue with a clean environment (new VM) and if you still encounter the
> same problem, please open an issue and provide as much information as
> possible, including software versions. https://github.com/freeipa/
> freeipa-letsencrypt/issues
>
>
>>
>> Joe
>>
>>
>>
>> On Mon, Dec 5, 2016 at 10:35 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
>>
>>>
>>>
>>> On 12/05/2016 12:25 AM, Joseph Flynn wrote:
>>>
>>> Sorry if this is not the appropriate forum for discussing this topic.
>>>
>>> I have installed a FreeIPA system on CentOS 7 and am trying to get the
>>> Let's Encrypt scripts to work as defined in
>>> https://github.com/freeipa/freeipa-letsencrypt
>>>
>>> I hand to tinker with a combination of enabling/disabling EPEL and this
>>> new tool DNF that I am not too familiar with but eventually got the script
>>> to run.
>>>
>>> It is ending with the following error:
>>>
>>> ipa: INFO: Systemwide CA database updated.
>>>> ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate
>>>> command was successful
>>>> Directory Manager password:
>>>>
>>>> Installing CA certificate, please wait
>>>> Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's
>>>> Certificate issuer is not recognized. (visit
>>>> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
>>>>
>>>>
>>> Does anyone recognize this situation?
>>>
>>> I have installed this on a VirtualBox client in Bridge Network mode.
>>> Prior to trying to use a real certificate, I could access the FreeIPA UI
>>> from Firefox on both the VM and other computers in the home. I've gotten a
>>> domain name and have that domain name pointed to my home router with a
>>> handful of ports (those listed at the end of the FreeIPA install) forwarded
>>> to my VM.
>>>
>>> For completeness, I have included the history below along with the full
>>> output including a couple of highlighted areas that could be errors.
>>>
>>> Thanks for any assistance from anyone who might notice an error in my
>>> ways.
>>> Joe
>>>
>>>
>>> History:
>>> 1 ifconfig -a
>>> 2 sudo yum -y update
>>> 3 cat /etc/hostname
>>> 4 sudo echo 192.168.1.201 ipa-1.kkgpitt.org ipa-1 >> /etc/hosts
>>> 5 sudo vi /etc/hosts
>>> 7 sudo reboot now
>>> 8 hostname
>>> 9 ifconfig -a
>>> 11 sudo visudo
>>> 12 sudo ls # just to set pw
>>> 13 sudo yum install epel-release -y
>>> 14 sudo yum install -y haveged
>>> 15 sudo systemctl start haveged.service
>>> 16 sudo ipa-server-install
>>> 17 kinit admin
>>> 18 firewall-cmd --permanent --add-service=ntp
>>> 19 firewall-cmd --permanent --add-service=http
>>> 20 firewall-cmd --permanent --add-service=https
>>> 21 firewall-cmd --permanent --add-service=ldap
>>> 22 firewall-cmd --permanent --add-service=ldaps
>>> 23 firewall-cmd --permanent --add-service=kerberos
>>> 24 firewall-cmd --permanent --add-service=kpasswd
>>> 26 sudo authconfig --enablemkhomedir --update
>>> 27 sudo chkconfig sssd on
>>> 28 git config --global user.name "Joe Flynn"
>>> 29 git config --global user.email "jjflynn22 at gmail.com"
>>> 30 mkdir ~/.ssh
>>> 31 cd ~/.ssh
>>> 32 vi id_rsa
>>> 33 vi id_rsa.pub
>>> 34 chmod 700 ~/.ssh
>>> 35 chmod 600 ~/.ssh/*
>>> 36 ssh-add ~/.ssh/id_rsa
>>> 37 sudo yum install -y letsencrypt
>>> 38 sudo cp -r /etc/httpd/alias /etc/httpd/alias_backup
>>> 39 cd ~
>>> 40 git clone https://github.com/freeipa/freeipa-letsencrypt.git
>>> 41 sudo cp -r freeipa-letsencrypt /root/ipa-le
>>> 42 sudo vi /root/ipa-le/renew-le.sh
>>> 43 sudo yum install -y dnf
>>> 44 sudo yum remove -y epel-release
>>> 45 sudo dnf repolist
>>> 46 sudo /root/ipa-le/setup-le.sh
>>> 47 history
>>>
>>>
>>>
>>>> [jjflynn22 at ipa-1 ~]$ sudo visudo
>>>> [sudo] password for jjflynn22:
>>>> [jjflynn22 at ipa-1 ~]$ sudo yum install epel-release -y
>>>> Loaded plugins: fastestmirror, langpacks
>>>> base
>>>> | 3.6 kB 00:00:00
>>>> extras
>>>> | 3.4 kB 00:00:00
>>>> updates
>>>> | 3.4 kB 00:00:00
>>>> Loading mirror speeds from cached hostfile
>>>> * base: repo1.ash.innoscale.net
>>>> * extras: mirrors.advancedhosters.com
>>>> * updates: mirror.cs.vt.edu
>>>> Resolving Dependencies
>>>> --> Running transaction check
>>>> ---> Package epel-release.noarch 0:7-6 will be installed
>>>> --> Finished Dependency Resolution
>>>>
>>>> Dependencies Resolved
>>>>
>>>> ============================================================
>>>> =================================================================
>>>> Package Arch
>>>> Version Repository Size
>>>> ============================================================
>>>> =================================================================
>>>> Installing:
>>>> epel-release noarch
>>>> 7-6 extras 14 k
>>>>
>>>> Transaction Summary
>>>> ============================================================
>>>> =================================================================
>>>> Install 1 Package
>>>>
>>>> Total download size: 14 k
>>>> Installed size: 24 k
>>>> Downloading packages:
>>>> epel-release-7-6.noarch.rpm
>>>> | 14 kB 00:00:00
>>>> Running transaction check
>>>> Running transaction test
>>>> Transaction test succeeded
>>>> Running transaction
>>>> Installing : epel-release-7-6.noarch
>>>>
>>>> 1/1
>>>> Verifying : epel-release-7-6.noarch
>>>>
>>>> 1/1
>>>>
>>>> Installed:
>>>> epel-release.noarch 0:7-6
>>>>
>>>>
>>>>
>>>> Complete!
>>>> [jjflynn22 at ipa-1 ~]$ sudo yum install -y haveged
>>>> Loaded plugins: fastestmirror, langpacks
>>>> epel/x86_64/metalink
>>>> | 13 kB 00:00:00
>>>> epel
>>>> | 4.3 kB 00:00:00
>>>> (1/3): epel/x86_64/updateinfo
>>>> | 676 kB 00:00:00
>>>> (2/3): epel/x86_64/group_gz
>>>> | 170 kB 00:00:00
>>>> (3/3): epel/x86_64/primary_db
>>>> | 4.4 MB 00:00:01
>>>> Loading mirror speeds from cached hostfile
>>>> * base: repo1.ash.innoscale.net
>>>> * epel: ftp.osuosl.org
>>>> * extras: mirror.fusioncloud.co
>>>> * updates: ftp.osuosl.org
>>>> Resolving Dependencies
>>>> --> Running transaction check
>>>> ---> Package haveged.x86_64 0:1.9.1-1.el7 will be installed
>>>> --> Finished Dependency Resolution
>>>>
>>>> Dependencies Resolved
>>>>
>>>> ============================================================
>>>> =================================================================
>>>> Package Arch
>>>> Version Repository Size
>>>> ============================================================
>>>> =================================================================
>>>> Installing:
>>>> haveged x86_64
>>>> 1.9.1-1.el7 epel 61 k
>>>>
>>>> Transaction Summary
>>>> ============================================================
>>>> =================================================================
>>>> Install 1 Package
>>>>
>>>> Total download size: 61 k
>>>> Installed size: 181 k
>>>> Downloading packages:
>>>> warning: /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm:
>>>> Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
>>>> Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed
>>>> haveged-1.9.1-1.el7.x86_64.rpm
>>>> | 61 kB 00:00:00
>>>> Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
>>>> Importing GPG key 0x352C64E5:
>>>> Userid : "Fedora EPEL (7) <epel at fedoraproject.org>"
>>>> Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
>>>> Package : epel-release-7-6.noarch (@extras)
>>>> From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
>>>> Running transaction check
>>>> Running transaction test
>>>> Transaction test succeeded
>>>> Running transaction
>>>> Installing : haveged-1.9.1-1.el7.x86_64
>>>>
>>>> 1/1
>>>> Verifying : haveged-1.9.1-1.el7.x86_64
>>>>
>>>> 1/1
>>>>
>>>> Installed:
>>>> haveged.x86_64 0:1.9.1-1.el7
>>>>
>>>>
>>>>
>>>> Complete!
>>>> [jjflynn22 at ipa-1 ~]$ sudo systemctl start haveged.service
>>>> [jjflynn22 at ipa-1 ~]$
>>>> [jjflynn22 at ipa-1 ~]$
>>>> [jjflynn22 at ipa-1 ~]$
>>>> [jjflynn22 at ipa-1 ~]$
>>>> [jjflynn22 at ipa-1 ~]$ sudo ipa-server-install
>>>>
>>>> The log file for this installation can be found in
>>>> /var/log/ipaserver-install.log
>>>> ============================================================
>>>> ==================
>>>> This program will set up the IPA Server.
>>>>
>>>> This includes:
>>>> * Configure a stand-alone CA (dogtag) for certificate management
>>>> * Configure the Network Time Daemon (ntpd)
>>>> * Create and configure an instance of Directory Server
>>>> * Create and configure a Kerberos Key Distribution Center (KDC)
>>>> * Configure Apache (httpd)
>>>>
>>>> To accept the default shown in brackets, press the Enter key.
>>>>
>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>> be disabled
>>>> in favor of ntpd
>>>>
>>>> Do you want to configure integrated DNS (BIND)? [no]:
>>>>
>>>> Enter the fully qualified domain name of the computer
>>>> on which you're setting up server software. Using the form
>>>> <hostname>.<domainname>
>>>> Example: master.example.com.
>>>>
>>>>
>>>> Server host name [ipa-1.kkgpitt.org]:
>>>>
>>>> The domain name has been determined based on the host name.
>>>>
>>>> Please confirm the domain name [kkgpitt.org]:
>>>>
>>>> The kerberos protocol requires a Realm name to be defined.
>>>> This is typically the domain name converted to uppercase.
>>>>
>>>> Please provide a realm name [KKGPITT.ORG]:
>>>> Certain directory server operations require an administrative user.
>>>> This user is referred to as the Directory Manager and has full access
>>>> to the Directory for system management tasks and will be added to the
>>>> instance of directory server created for IPA.
>>>> The password must be at least 8 characters long.
>>>>
>>>> Directory Manager password:
>>>> Password (confirm):
>>>>
>>>> The IPA server requires an administrative user, named 'admin'.
>>>> This user is a regular system account used for IPA server
>>>> administration.
>>>>
>>>> IPA admin password:
>>>> Password (confirm):
>>>>
>>>>
>>>> The IPA Master Server will be configured with:
>>>> Hostname: ipa-1.kkgpitt.org
>>>> IP address(es): 192.168.1.201
>>>> Domain name: kkgpitt.org
>>>> Realm name: KKGPITT.ORG
>>>>
>>>> Continue to configure the system with these values? [no]: yes
>>>>
>>>> The following operations may take some minutes to complete.
>>>> Please wait until the prompt is returned.
>>>>
>>>> Configuring NTP daemon (ntpd)
>>>> [1/4]: stopping ntpd
>>>> [2/4]: writing configuration
>>>> [3/4]: configuring ntpd to start on boot
>>>> [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>> [1/42]: creating directory server user
>>>> [2/42]: creating directory server instance
>>>> [3/42]: adding default schema
>>>> [4/42]: enabling memberof plugin
>>>> [5/42]: enabling winsync plugin
>>>> [6/42]: configuring replication version plugin
>>>> [7/42]: enabling IPA enrollment plugin
>>>> [8/42]: enabling ldapi
>>>> [9/42]: configuring uniqueness plugin
>>>> [10/42]: configuring uuid plugin
>>>> [11/42]: configuring modrdn plugin
>>>> [12/42]: configuring DNS plugin
>>>> [13/42]: enabling entryUSN plugin
>>>> [14/42]: configuring lockout plugin
>>>> [15/42]: creating indices
>>>> [16/42]: enabling referential integrity plugin
>>>> [17/42]: configuring certmap.conf
>>>> [18/42]: configure autobind for root
>>>> [19/42]: configure new location for managed entries
>>>> [20/42]: configure dirsrv ccache
>>>> [21/42]: enable SASL mapping fallback
>>>> [22/42]: restarting directory server
>>>> [23/42]: adding default layout
>>>> [24/42]: adding delegation layout
>>>> [25/42]: creating container for managed entries
>>>> [26/42]: configuring user private groups
>>>> [27/42]: configuring netgroups from hostgroups
>>>> [28/42]: creating default Sudo bind user
>>>> [29/42]: creating default Auto Member layout
>>>> [30/42]: adding range check plugin
>>>> [31/42]: creating default HBAC rule allow_all
>>>> [32/42]: adding entries for topology management
>>>> [33/42]: initializing group membership
>>>> [34/42]: adding master entry
>>>> [35/42]: initializing domain level
>>>> [36/42]: configuring Posix uid/gid generation
>>>> [37/42]: adding replication acis
>>>> [38/42]: enabling compatibility plugin
>>>> [39/42]: activating sidgen plugin
>>>> [40/42]: activating extdom plugin
>>>> [41/42]: tuning directory server
>>>> [42/42]: configuring directory to start on boot
>>>> Done configuring directory server (dirsrv).
>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>>>> 30 seconds
>>>> [1/28]: creating certificate server user
>>>> [2/28]: configuring certificate server instance
>>>> [3/28]: stopping certificate server instance to update CS.cfg
>>>> [4/28]: backing up CS.cfg
>>>> [5/28]: disabling nonces
>>>> [6/28]: set up CRL publishing
>>>> [7/28]: enable PKIX certificate path discovery and validation
>>>> [8/28]: starting certificate server instance
>>>> [9/28]: creating RA agent certificate database
>>>> [10/28]: importing CA chain to RA certificate database
>>>> [11/28]: fixing RA database permissions
>>>> [12/28]: setting up signing cert profile
>>>> [13/28]: setting audit signing renewal to 2 years
>>>> [14/28]: restarting certificate server
>>>> [15/28]: requesting RA certificate from CA
>>>> [16/28]: issuing RA agent certificate
>>>> [17/28]: adding RA agent as a trusted user
>>>> [18/28]: authorizing RA to modify profiles
>>>> [19/28]: configure certmonger for renewals
>>>> [20/28]: configure certificate renewals
>>>> [21/28]: configure RA certificate renewal
>>>> [22/28]: configure Server-Cert certificate renewal
>>>> [23/28]: Configure HTTP to proxy connections
>>>> [24/28]: restarting certificate server
>>>> [25/28]: migrating certificate profiles to LDAP
>>>> [26/28]: importing IPA certificate profiles
>>>> [27/28]: adding default CA ACL
>>>> [28/28]: updating IPA configuration
>>>> Done configuring certificate server (pki-tomcatd).
>>>> Configuring directory server (dirsrv). Estimated time: 10 seconds
>>>> [1/3]: configuring ssl for ds instance
>>>> [2/3]: restarting directory server
>>>> [3/3]: adding CA certificate entry
>>>> Done configuring directory server (dirsrv).
>>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>>>> [1/10]: adding sasl mappings to the directory
>>>> [2/10]: adding kerberos container to the directory
>>>> [3/10]: configuring KDC
>>>> [4/10]: initialize kerberos container
>>>> [5/10]: adding default ACIs
>>>> [6/10]: creating a keytab for the directory
>>>> [7/10]: creating a keytab for the machine
>>>> [8/10]: adding the password extension to the directory
>>>> [9/10]: starting the KDC
>>>> [10/10]: configuring KDC to start on boot
>>>> Done configuring Kerberos KDC (krb5kdc).
>>>> Configuring kadmin
>>>> [1/2]: starting kadmin
>>>> [2/2]: configuring kadmin to start on boot
>>>> Done configuring kadmin.
>>>> Configuring ipa_memcached
>>>> [1/2]: starting ipa_memcached
>>>> [2/2]: configuring ipa_memcached to start on boot
>>>> Done configuring ipa_memcached.
>>>> Configuring ipa-otpd
>>>> [1/2]: starting ipa-otpd
>>>> [2/2]: configuring ipa-otpd to start on boot
>>>> Done configuring ipa-otpd.
>>>> Configuring the web interface (httpd). Estimated time: 1 minute
>>>> [1/19]: setting mod_nss port to 443
>>>> [2/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
>>>> [3/19]: setting mod_nss password file
>>>> [4/19]: enabling mod_nss renegotiate
>>>> [5/19]: adding URL rewriting rules
>>>> [6/19]: configuring httpd
>>>> [7/19]: configure certmonger for renewals
>>>> [8/19]: setting up ssl
>>>> [9/19]: importing CA certificates from LDAP
>>>> [10/19]: setting up browser autoconfig
>>>> [11/19]: publish CA cert
>>>> [12/19]: creating a keytab for httpd
>>>> [13/19]: clean up any existing httpd ccache
>>>> [14/19]: configuring SELinux for httpd
>>>> [15/19]: create KDC proxy user
>>>> [16/19]: create KDC proxy config
>>>> [17/19]: enable KDC proxy
>>>> [18/19]: restarting httpd
>>>> [19/19]: configuring httpd to start on boot
>>>> Done configuring the web interface (httpd).
>>>> Applying LDAP updates
>>>> Upgrading IPA:
>>>> [1/9]: stopping directory server
>>>> [2/9]: saving configuration
>>>> [3/9]: disabling listeners
>>>> [4/9]: enabling DS global lock
>>>> [5/9]: starting directory server
>>>> [6/9]: upgrading server
>>>> [7/9]: stopping directory server
>>>> [8/9]: restoring configuration
>>>> [9/9]: starting directory server
>>>> Done.
>>>> Restarting the directory server
>>>> Restarting the KDC
>>>> Sample zone file for bind has been created in /tmp/sample.zone.Yjwpca.db
>>>> Restarting the web server
>>>> ============================================================
>>>> ==================
>>>> Setup complete
>>>>
>>>> Next steps:
>>>> 1. You must make sure these network ports are open:
>>>> TCP Ports:
>>>> * 80, 443: HTTP/HTTPS
>>>> * 389, 636: LDAP/LDAPS
>>>> * 88, 464: kerberos
>>>> UDP Ports:
>>>> * 88, 464: kerberos
>>>> * 123: ntp
>>>>
>>>> 2. You can now obtain a kerberos ticket using the command: 'kinit
>>>> admin'
>>>> This ticket will allow you to use the IPA tools (e.g., ipa
>>>> user-add)
>>>> and the web user interface.
>>>>
>>>> Be sure to back up the CA certificates stored in /root/cacert.p12
>>>> These files are required to create replicas. The password for these
>>>> files is the Directory Manager password
>>>> [jjflynn22 at ipa-1 ~]$ kinit admin
>>>> Password for admin at KKGPITT.ORG:
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=ntp
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=http
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=https
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=ldap
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=ldaps
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=kerberos
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=kpasswd
>>>> success
>>>> [jjflynn22 at ipa-1 ~]$ sudo authconfig --enablemkhomedir --update
>>>> [jjflynn22 at ipa-1 ~]$ sudo chkconfig sssd on
>>>> Note: Forwarding request to 'systemctl enable sssd.service'.
>>>> [jjflynn22 at ipa-1 ~]$ git config --global user.name "Joe Flynn"
>>>> [jjflynn22 at ipa-1 ~]$ git config --global user.email "
>>>> jjflynn22 at gmail.com"
>>>> [jjflynn22 at ipa-1 ~]$ mkdir ~/.ssh
>>>> [jjflynn22 at ipa-1 ~]$ cd ~/.ssh
>>>> [jjflynn22 at ipa-1 .ssh]$ vi id_rsa
>>>> [jjflynn22 at ipa-1 .ssh]$ vi id_rsa.pub
>>>> [jjflynn22 at ipa-1 .ssh]$ chmod 700 ~/.ssh
>>>> [jjflynn22 at ipa-1 .ssh]$ chmod 600 ~/.ssh/*
>>>> [jjflynn22 at ipa-1 .ssh]$ ssh-add ~/.ssh/id_rsa
>>>> Identity added: /home/jjflynn22/.ssh/id_rsa
>>>> (/home/jjflynn22/.ssh/id_rsa)
>>>> [jjflynn22 at ipa-1 .ssh]$ sudo yum install -y letsencrypt
>>>> Loaded plugins: fastestmirror, langpacks
>>>> Loading mirror speeds from cached hostfile
>>>> * base: repo1.ash.innoscale.net
>>>> * epel: mirror.cogentco.com
>>>> * extras: chicago.gaminghost.co
>>>> * updates: mirror.cs.vt.edu
>>>> Resolving Dependencies
>>>> --> Running transaction check
>>>> ---> Package certbot.noarch 0:0.9.3-1.el7 will be installed
>>>> --> Processing Dependency: python2-certbot = 0.9.3-1.el7 for package:
>>>> certbot-0.9.3-1.el7.noarch
>>>> --> Running transaction check
>>>> ---> Package python2-certbot.noarch 0:0.9.3-1.el7 will be installed
>>>> --> Processing Dependency: python2-acme = 0.9.3 for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python2-dialog >= 3.3.0 for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python2-configargparse >= 0.10.0 for
>>>> package: python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python-psutil >= 2.1.0 for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python-zope-interface for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python-zope-component for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python-parsedatetime for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python-mock for package:
>>>> python2-certbot-0.9.3-1.el7.noarch
>>>> --> Running transaction check
>>>> ---> Package python-parsedatetime.noarch 0:1.5-3.el7 will be installed
>>>> ---> Package python-psutil.x86_64 0:2.2.1-1.el7 will be installed
>>>> ---> Package python-zope-component.noarch 1:4.1.0-1.el7 will be
>>>> installed
>>>> --> Processing Dependency: python-zope-event for package:
>>>> 1:python-zope-component-4.1.0-1.el7.noarch
>>>> ---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be
>>>> installed
>>>> ---> Package python2-acme.noarch 0:0.9.3-1.el7 will be installed
>>>> --> Processing Dependency: python-pyrfc3339 for package:
>>>> python2-acme-0.9.3-1.el7.noarch
>>>> --> Processing Dependency: python-ndg_httpsclient for package:
>>>> python2-acme-0.9.3-1.el7.noarch
>>>> ---> Package python2-configargparse.noarch 0:0.10.0-1.el7 will be
>>>> installed
>>>> ---> Package python2-dialog.noarch 0:3.3.0-6.el7 will be installed
>>>> --> Processing Dependency: dialog for package:
>>>> python2-dialog-3.3.0-6.el7.noarch
>>>> ---> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed
>>>> --> Running transaction check
>>>> ---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
>>>> ---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be
>>>> installed
>>>> ---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
>>>> ---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed
>>>> --> Finished Dependency Resolution
>>>>
>>>> Dependencies Resolved
>>>>
>>>> ============================================================
>>>> =================================================================
>>>> Package Arch
>>>> Version Repository Size
>>>> ============================================================
>>>> =================================================================
>>>> Installing:
>>>> certbot noarch
>>>> 0.9.3-1.el7 epel 16 k
>>>> Installing for dependencies:
>>>> dialog x86_64
>>>> 1.2-4.20130523.el7 base 208 k
>>>> python-ndg_httpsclient noarch
>>>> 0.3.2-1.el7 epel 43 k
>>>> python-parsedatetime noarch
>>>> 1.5-3.el7 epel 61 k
>>>> python-psutil x86_64
>>>> 2.2.1-1.el7 epel 114 k
>>>> python-zope-component noarch
>>>> 1:4.1.0-1.el7 epel 110 k
>>>> python-zope-event noarch
>>>> 4.0.3-2.el7 epel 79 k
>>>> python-zope-interface x86_64
>>>> 4.0.5-4.el7 base 138 k
>>>> python2-acme noarch
>>>> 0.9.3-1.el7 epel 168 k
>>>> python2-certbot noarch
>>>> 0.9.3-1.el7 epel 361 k
>>>> python2-configargparse noarch
>>>> 0.10.0-1.el7 epel 28 k
>>>> python2-dialog noarch
>>>> 3.3.0-6.el7 epel 94 k
>>>> python2-mock noarch
>>>> 1.0.1-9.el7 epel 92 k
>>>> python2-pyrfc3339 noarch
>>>> 1.0-2.el7 epel 13 k
>>>>
>>>> Transaction Summary
>>>> ============================================================
>>>> =================================================================
>>>> Install 1 Package (+13 Dependent packages)
>>>>
>>>> Total download size: 1.5 M
>>>> Installed size: 6.3 M
>>>> Downloading packages:
>>>> (1/14): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm
>>>> | 43 kB 00:00:00
>>>> (2/14): dialog-1.2-4.20130523.el7.x86_64.rpm
>>>> | 208 kB 00:00:00
>>>> (3/14): certbot-0.9.3-1.el7.noarch.rpm
>>>> | 16 kB 00:00:00
>>>> (4/14): python-parsedatetime-1.5-3.el7.noarch.rpm
>>>> | 61 kB 00:00:00
>>>> (5/14): python-psutil-2.2.1-1.el7.x86_64.rpm
>>>> | 114 kB 00:00:00
>>>> (6/14): python-zope-component-4.1.0-1.el7.noarch.rpm
>>>> | 110 kB 00:00:00
>>>> (7/14): python-zope-interface-4.0.5-4.el7.x86_64.rpm
>>>> | 138 kB 00:00:00
>>>> (8/14): python-zope-event-4.0.3-2.el7.noarch.rpm
>>>> | 79 kB 00:00:00
>>>> (9/14): python2-certbot-0.9.3-1.el7.noarch.rpm
>>>> | 361 kB 00:00:00
>>>> (10/14): python2-configargparse-0.10.0-1.el7.noarch.rpm
>>>> | 28 kB 00:00:00
>>>> (11/14): python2-acme-0.9.3-1.el7.noarch.rpm
>>>> | 168 kB 00:00:00
>>>> (12/14): python2-dialog-3.3.0-6.el7.noarch.rpm
>>>> | 94 kB 00:00:00
>>>> (13/14): python2-pyrfc3339-1.0-2.el7.noarch.rpm
>>>> | 13 kB 00:00:00
>>>> (14/14): python2-mock-1.0.1-9.el7.noarch.rpm
>>>> | 92 kB 00:00:00
>>>> ------------------------------------------------------------
>>>> -----------------------------------------------------------------
>>>> Total
>>>> 1.3 MB/s | 1.5 MB 00:00:01
>>>> Running transaction check
>>>> Running transaction test
>>>> Transaction test succeeded
>>>> Running transaction
>>>> Installing : python-zope-interface-4.0.5-4.
>>>> el7.x86_64
>>>> 1/14
>>>> Installing : python2-mock-1.0.1-9.el7.noarc
>>>> h
>>>> 2/14
>>>> Installing : python-parsedatetime-1.5-3.el7
>>>> .noarch
>>>> 3/14
>>>> Installing : python-psutil-2.2.1-1.el7.x86_
>>>> 64
>>>> 4/14
>>>> Installing : python-zope-event-4.0.3-2.el7.
>>>> noarch
>>>> 5/14
>>>> Installing : 1:python-zope-component-4.1.0-
>>>> 1.el7.noarch
>>>> 6/14
>>>> Installing : python-ndg_httpsclient-0.3.2-1
>>>> .el7.noarch
>>>> 7/14
>>>> Installing : python2-pyrfc3339-1.0-2.el7.no
>>>> arch
>>>> 8/14
>>>> Installing : python2-acme-0.9.3-1.el7.noarc
>>>> h
>>>> 9/14
>>>> Installing : python2-configargparse-0.10.0-
>>>> 1.el7.noarch
>>>> 10/14
>>>> Installing : dialog-1.2-4.20130523.el7.x86_
>>>> 64
>>>> 11/14
>>>> Installing : python2-dialog-3.3.0-6.el7.noa
>>>> rch
>>>> 12/14
>>>> Installing : python2-certbot-0.9.3-1.el7.no
>>>> arch
>>>> 13/14
>>>> Installing : certbot-0.9.3-1.el7.noarch
>>>>
>>>> 14/14
>>>> Verifying : dialog-1.2-4.20130523.el7.x86_
>>>> 64
>>>> 1/14
>>>> Verifying : certbot-0.9.3-1.el7.noarch
>>>>
>>>> 2/14
>>>> Verifying : python2-configargparse-0.10.0-
>>>> 1.el7.noarch
>>>> 3/14
>>>> Verifying : python2-pyrfc3339-1.0-2.el7.no
>>>> arch
>>>> 4/14
>>>> Verifying : python-zope-interface-4.0.5-4.
>>>> el7.x86_64
>>>> 5/14
>>>> Verifying : python-ndg_httpsclient-0.3.2-1
>>>> .el7.noarch
>>>> 6/14
>>>> Verifying : python-zope-event-4.0.3-2.el7.
>>>> noarch
>>>> 7/14
>>>> Verifying : python-psutil-2.2.1-1.el7.x86_
>>>> 64
>>>> 8/14
>>>> Verifying : python2-acme-0.9.3-1.el7.noarc
>>>> h
>>>> 9/14
>>>> Verifying : python2-dialog-3.3.0-6.el7.noa
>>>> rch
>>>> 10/14
>>>> Verifying : 1:python-zope-component-4.1.0-
>>>> 1.el7.noarch
>>>> 11/14
>>>> Verifying : python-parsedatetime-1.5-3.el7
>>>> .noarch
>>>> 12/14
>>>> Verifying : python2-certbot-0.9.3-1.el7.no
>>>> arch
>>>> 13/14
>>>> Verifying : python2-mock-1.0.1-9.el7.noarc
>>>> h
>>>> 14/14
>>>>
>>>> Installed:
>>>> certbot.noarch 0:0.9.3-1.el7
>>>>
>>>>
>>>>
>>>> Dependency Installed:
>>>> dialog.x86_64 0:1.2-4.20130523.el7
>>>> python-ndg_httpsclient.noarch 0:0.3.2-1.el7
>>>> python-parsedatetime.noarch 0:1.5-3.el7
>>>> python-psutil.x86_64 0:2.2.1-1.el7
>>>> python-zope-component.noarch 1:4.1.0-1.el7
>>>> python-zope-event.noarch 0:4.0.3-2.el7
>>>> python-zope-interface.x86_64 0:4.0.5-4.el7
>>>> python2-acme.noarch 0:0.9.3-1.el7
>>>> python2-certbot.noarch 0:0.9.3-1.el7
>>>> python2-configargparse.noarch 0:0.10.0-1.el7
>>>> python2-dialog.noarch 0:3.3.0-6.el7
>>>> python2-mock.noarch 0:1.0.1-9.el7
>>>> python2-pyrfc3339.noarch 0:1.0-2.el7
>>>>
>>>> Complete!
>>>> [jjflynn22 at ipa-1 .ssh]$
>>>> [jjflynn22 at ipa-1 .ssh]$
>>>> [jjflynn22 at ipa-1 .ssh]$ sudo cp -r /etc/httpd/alias
>>>> /etc/httpd/alias_backup
>>>> [jjflynn22 at ipa-1 .ssh]$ cd ~
>>>> [jjflynn22 at ipa-1 ~]$ git clone https://github.com/freeipa/fre
>>>> eipa-letsencrypt.git
>>>> Cloning into 'freeipa-letsencrypt'...
>>>> remote: Counting objects: 45, done.
>>>> remote: Compressing objects: 100% (4/4), done.
>>>> remote: Total 45 (delta 0), reused 0 (delta 0), pack-reused 41
>>>> Unpacking objects: 100% (45/45), done.
>>>> [jjflynn22 at ipa-1 ~]$ sudo cp -r freeipa-letsencrypt /root/ipa-le
>>>> [jjflynn22 at ipa-1 ~]$ sudo vi /root/ipa-le/renew-le.sh
>>>> [jjflynn22 at ipa-1 ~]$ sudo yum install -y dnf
>>>> Loaded plugins: fastestmirror, langpacks
>>>> Loading mirror speeds from cached hostfile
>>>> * base: repo1.ash.innoscale.net
>>>> * epel: mirror.cogentco.com
>>>> * extras: mirrors.advancedhosters.com
>>>> * updates: mirror.cs.vt.edu
>>>> Resolving Dependencies
>>>> --> Running transaction check
>>>> ---> Package dnf.noarch 0:0.6.4-2.el7 will be installed
>>>> --> Processing Dependency: python-dnf = 0.6.4-2.el7 for package:
>>>> dnf-0.6.4-2.el7.noarch
>>>> --> Running transaction check
>>>> ---> Package python-dnf.noarch 0:0.6.4-2.el7 will be installed
>>>> --> Processing Dependency: dnf-conf = 0.6.4-2.el7 for package:
>>>> python-dnf-0.6.4-2.el7.noarch
>>>> --> Processing Dependency: python-librepo >= 1.7.5 for package:
>>>> python-dnf-0.6.4-2.el7.noarch
>>>> --> Processing Dependency: python-libcomps >= 0.1.6 for package:
>>>> python-dnf-0.6.4-2.el7.noarch
>>>> --> Processing Dependency: python-hawkey >= 0.5.3 for package:
>>>> python-dnf-0.6.4-2.el7.noarch
>>>> --> Running transaction check
>>>> ---> Package dnf-conf.noarch 0:0.6.4-2.el7 will be installed
>>>> ---> Package python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 will be
>>>> installed
>>>> --> Processing Dependency: hawkey(x86-64) = 0.5.8-2.git.0.202b194.el7
>>>> for package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>>> --> Processing Dependency: libsolv.so.0(SOLV_1.0)(64bit) for package:
>>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>>> --> Processing Dependency: libsolv.so.0()(64bit) for package:
>>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>>> --> Processing Dependency: libhawkey.so.2()(64bit) for package:
>>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>>> ---> Package python-libcomps.x86_64 0:0.1.6-13.el7 will be installed
>>>> --> Processing Dependency: libcomps(x86-64) = 0.1.6-13.el7 for package:
>>>> python-libcomps-0.1.6-13.el7.x86_64
>>>> --> Processing Dependency: libcomps.so.0.1.6()(64bit) for package:
>>>> python-libcomps-0.1.6-13.el7.x86_64
>>>> ---> Package python-librepo.x86_64 0:1.7.16-1.el7 will be installed
>>>> --> Processing Dependency: librepo(x86-64) = 1.7.16-1.el7 for package:
>>>> python-librepo-1.7.16-1.el7.x86_64
>>>> --> Processing Dependency: librepo.so.0()(64bit) for package:
>>>> python-librepo-1.7.16-1.el7.x86_64
>>>> --> Running transaction check
>>>> ---> Package hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 will be installed
>>>> ---> Package libcomps.x86_64 0:0.1.6-13.el7 will be installed
>>>> ---> Package librepo.x86_64 0:1.7.16-1.el7 will be installed
>>>> ---> Package libsolv.x86_64 0:0.6.11-1.el7 will be installed
>>>> --> Finished Dependency Resolution
>>>>
>>>> Dependencies Resolved
>>>>
>>>> ============================================================
>>>> =================================================================
>>>> Package Arch
>>>> Version Repository Size
>>>> ============================================================
>>>> =================================================================
>>>> Installing:
>>>> dnf noarch
>>>> 0.6.4-2.el7 epel 209 k
>>>> Installing for dependencies:
>>>> dnf-conf noarch
>>>> 0.6.4-2.el7 epel 61 k
>>>> hawkey x86_64
>>>> 0.5.8-2.git.0.202b194.el7 base 87 k
>>>> libcomps x86_64
>>>> 0.1.6-13.el7 epel 72 k
>>>> librepo x86_64
>>>> 1.7.16-1.el7 base 77 k
>>>> libsolv x86_64
>>>> 0.6.11-1.el7 base 316 k
>>>> python-dnf noarch
>>>> 0.6.4-2.el7 epel 407 k
>>>> python-hawkey x86_64
>>>> 0.5.8-2.git.0.202b194.el7 base 71 k
>>>> python-libcomps x86_64
>>>> 0.1.6-13.el7 epel 44 k
>>>> python-librepo x86_64
>>>> 1.7.16-1.el7 base 49 k
>>>>
>>>> Transaction Summary
>>>> ============================================================
>>>> =================================================================
>>>> Install 1 Package (+9 Dependent packages)
>>>>
>>>> Total download size: 1.4 M
>>>> Installed size: 4.1 M
>>>> Downloading packages:
>>>> (1/10): hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm
>>>> | 87 kB 00:00:00
>>>> (2/10): dnf-conf-0.6.4-2.el7.noarch.rpm
>>>> | 61 kB 00:00:00
>>>> (3/10): dnf-0.6.4-2.el7.noarch.rpm
>>>> | 209 kB 00:00:00
>>>> (4/10): librepo-1.7.16-1.el7.x86_64.rpm
>>>> | 77 kB 00:00:00
>>>> (5/10): libcomps-0.1.6-13.el7.x86_64.rpm
>>>> | 72 kB 00:00:00
>>>> (6/10): python-librepo-1.7.16-1.el7.x86_64.rpm
>>>> | 49 kB 00:00:00
>>>> (7/10): python-libcomps-0.1.6-13.el7.x86_64.rpm
>>>> | 44 kB 00:00:00
>>>> (8/10): python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm
>>>> | 71 kB 00:00:00
>>>> (9/10): python-dnf-0.6.4-2.el7.noarch.rpm
>>>> | 407 kB 00:00:00
>>>> (10/10): libsolv-0.6.11-1.el7.x86_64.rpm
>>>> | 316 kB 00:00:00
>>>> ------------------------------------------------------------
>>>> -----------------------------------------------------------------
>>>> Total
>>>> 1.4 MB/s | 1.4 MB 00:00:01
>>>> Running transaction check
>>>> Running transaction test
>>>> Transaction test succeeded
>>>> Running transaction
>>>> Installing : libsolv-0.6.11-1.el7.x86_64
>>>>
>>>> 1/10
>>>> Installing : hawkey-0.5.8-2.git.0.202b194.e
>>>> l7.x86_64
>>>> 2/10
>>>> Installing : python-hawkey-0.5.8-2.git.0.20
>>>> 2b194.el7.x86_64
>>>> 3/10
>>>> Installing : dnf-conf-0.6.4-2.el7.noarch
>>>>
>>>> 4/10
>>>> Installing : libcomps-0.1.6-13.el7.x86_64
>>>>
>>>> 5/10
>>>> Installing : python-libcomps-0.1.6-13.el7.x
>>>> 86_64
>>>> 6/10
>>>> Installing : librepo-1.7.16-1.el7.x86_64
>>>>
>>>> 7/10
>>>> Installing : python-librepo-1.7.16-1.el7.x8
>>>> 6_64
>>>> 8/10
>>>> Installing : python-dnf-0.6.4-2.el7.noarch
>>>>
>>>> 9/10
>>>> Installing : dnf-0.6.4-2.el7.noarch
>>>>
>>>> 10/10
>>>> Verifying : librepo-1.7.16-1.el7.x86_64
>>>>
>>>> 1/10
>>>> Verifying : python-libcomps-0.1.6-13.el7.x
>>>> 86_64
>>>> 2/10
>>>> Verifying : python-hawkey-0.5.8-2.git.0.20
>>>> 2b194.el7.x86_64
>>>> 3/10
>>>> Verifying : python-librepo-1.7.16-1.el7.x8
>>>> 6_64
>>>> 4/10
>>>> Verifying : python-dnf-0.6.4-2.el7.noarch
>>>>
>>>> 5/10
>>>> Verifying : libcomps-0.1.6-13.el7.x86_64
>>>>
>>>> 6/10
>>>> Verifying : hawkey-0.5.8-2.git.0.202b194.e
>>>> l7.x86_64
>>>> 7/10
>>>> Verifying : dnf-conf-0.6.4-2.el7.noarch
>>>>
>>>> 8/10
>>>> Verifying : dnf-0.6.4-2.el7.noarch
>>>>
>>>> 9/10
>>>> Verifying : libsolv-0.6.11-1.el7.x86_64
>>>>
>>>> 10/10
>>>>
>>>> Installed:
>>>> dnf.noarch 0:0.6.4-2.el7
>>>>
>>>>
>>>>
>>>> Dependency Installed:
>>>> dnf-conf.noarch 0:0.6.4-2.el7
>>>> hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7
>>>> libcomps.x86_64 0:0.1.6-13.el7
>>>> librepo.x86_64 0:1.7.16-1.el7
>>>> libsolv.x86_64 0:0.6.11-1.el7
>>>> python-dnf.noarch 0:0.6.4-2.el7
>>>> python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7
>>>> python-libcomps.x86_64 0:0.1.6-13.el7
>>>> python-librepo.x86_64 0:1.7.16-1.el7
>>>>
>>>> Complete!
>>>> [jjflynn22 at ipa-1 ~]$ sudo yum remove -y epel-release
>>>> Loaded plugins: fastestmirror, langpacks
>>>> Resolving Dependencies
>>>> --> Running transaction check
>>>> ---> Package epel-release.noarch 0:7-6 will be erased
>>>> --> Finished Dependency Resolution
>>>>
>>>> Dependencies Resolved
>>>>
>>>> ============================================================
>>>> =================================================================
>>>> Package Arch
>>>> Version Repository Size
>>>> ============================================================
>>>> =================================================================
>>>> Removing:
>>>> epel-release noarch
>>>> 7-6 @extras 24 k
>>>>
>>>> Transaction Summary
>>>> ============================================================
>>>> =================================================================
>>>> Remove 1 Package
>>>>
>>>> Installed size: 24 k
>>>> Downloading packages:
>>>> Running transaction check
>>>> Running transaction test
>>>> Transaction test succeeded
>>>> Running transaction
>>>> Erasing : epel-release-7-6.noarch
>>>>
>>>> 1/1
>>>> Verifying : epel-release-7-6.noarch
>>>>
>>>> 1/1
>>>>
>>>> Removed:
>>>> epel-release.noarch 0:7-6
>>>>
>>>>
>>>>
>>>> Complete!
>>>> [jjflynn22 at ipa-1 ~]$ sudo dnf repolist
>>>> CentOS-7 - Base
>>>> 8.4 MB/s | 8.8 MB 00:01
>>>> CentOS-7 - Updates
>>>> 4.5 MB/s | 12 MB 00:02
>>>> CentOS-7 - Extras
>>>> 1.9 MB/s | 569 kB 00:00
>>>> Using metadata from Sun Dec 4 18:06:04 2016
>>>> repo id repo
>>>> name status
>>>> base CentOS-7 -
>>>> Base 9,007
>>>> extras CentOS-7 -
>>>> Extras 393
>>>> updates CentOS-7 -
>>>> Updates 2,560
>>>> [jjflynn22 at ipa-1 ~]$ sudo /root/ipa-le/setup-le.sh
>>>> Using metadata from Sun Dec 4 18:06:04 2016
>>>> Package certbot-0.9.3-1.el7.noarch is already installed, skipping.
>>>> Dependencies resolved.
>>>> Nothing to do.
>>>> Directory Manager password:
>>>>
>>>> Installing CA certificate, please wait
>>>> CA certificate successfully installed
>>>> The ipa-cacert-manage command was successful
>>>> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestor
>>>> e/sysrestore.index'
>>>> ipa: DEBUG: importing all plugin modules in ipalib.plugins...
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.aci
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.automember
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.automount
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.baseldap
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.baseuser
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.batch
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.caacl
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.cert
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.certprofile
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.config
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.delegation
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.dns
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.group
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.hbactest
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.host
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.idrange
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.idviews
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.internal
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.kerberos
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.migration
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.misc
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.netgroup
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.otptoken
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.passwd
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.permission
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.ping
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.pkinit
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.privilege
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='klist' '-V'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.role
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.selfservice
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.server
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.service
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.session
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.stageuser
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.sudorule
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.topology
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.trust
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.user
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.vault
>>>> ipa: DEBUG: importing plugin module ipalib.plugins.virtual
>>>> ipa: DEBUG: Initializing principal host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>>> using keytab /etc/krb5.keytab
>>>> ipa: DEBUG: using ccache /tmp/tmp-zgrScg/ccache
>>>> ipa: DEBUG: Attempt 1/1: success
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/
>>>> ipa-1.kkgpitt.org at KKGPITT.ORG'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=134111920
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='keyctl' 'pipe' '134111920'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>>> Domain=ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13
>>>> GMT; Secure; HttpOnly
>>>> ipa: DEBUG: stderr=
>>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: found session_cookie in
>>>> persistent storage for principal 'host/ipa-1.kkgpitt.org at KKGPITT.ORG',
>>>> cookie: 'ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=
>>>> ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT;
>>>> Secure; HttpOnly'
>>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: setting session_cookie
>>>> into context 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;'
>>>> ipa.ipalib.plugins.rpcclient.rpcclient: INFO: trying
>>>> https://ipa-1.kkgpitt.org/ipa/session/json
>>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Created connection
>>>> context.rpcclient_71021840
>>>> ipa.ipalib.plugins.rpcclient.rpcclient: INFO: Forwarding
>>>> 'ca_is_enabled' to json server 'https://ipa-1.kkgpitt.org/ipa
>>>> /session/json'
>>>> ipa: DEBUG: NSSConnection init ipa-1.kkgpitt.org
>>>> ipa: DEBUG: Connecting: 192.168.1.201:0
>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>>> ipa: DEBUG: cert valid True for "CN=ipa-1.kkgpitt.org,O=KKGPITT.ORG"
>>>> ipa: DEBUG: handshake complete, peer = 192.168.1.201:443
>>>> ipa: DEBUG: Protocol: TLS1.2
>>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
>>>> ipa: DEBUG: received Set-Cookie 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>>> Domain=ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28
>>>> GMT; Secure; HttpOnly'
>>>> ipa: DEBUG: storing cookie 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>>> Domain=ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28
>>>> GMT; Secure; HttpOnly' for principal host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/
>>>> ipa-1.kkgpitt.org at KKGPITT.ORG'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=134111920
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/
>>>> ipa-1.kkgpitt.org at KKGPITT.ORG'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=134111920
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='keyctl' 'pupdate' '134111920'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
>>>> context.rpcclient_71021840
>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldap://
>>>> ipa-1.kkgpitt.org:389 from SchemaCache
>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
>>>> SchemaCache url=ldap://ipa-1.kkgpitt.org:389
>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x42a2fc8>
>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysre
>>>> store.index'
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-KKGPITT-ORG'
>>>> '-A' '-n' 'KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-KKGPITT-ORG'
>>>> '-A' '-n' 'DSTRootCAX3' '-t' 'C,,'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' 'is-active' '
>>>> dirsrv at KKGPITT-ORG.service'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=active
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' '--system' 'daemon-reload'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' 'restart' 'dirsrv at KKGPITT-ORG.service
>>>> '
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' 'is-active' '
>>>> dirsrv at KKGPITT-ORG.service'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=active
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 300
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n' '
>>>> KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n'
>>>> 'DSTRootCAX3' '-t' 'C,,'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=active
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' 'restart' 'httpd.service'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=active
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: resubmitting
>>>> certmonger request '20161204225818'
>>>> ipa: DEBUG: certmonger request is in state
>>>> dbus.String(u'GENERATING_CSR', variant_level=1)
>>>> ipa: DEBUG: certmonger request is in state
>>>> dbus.String(u'PRE_SAVE_CERT', variant_level=1)
>>>> ipa: DEBUG: certmonger request is in state
>>>> dbus.String(u'POST_SAVED_CERT', variant_level=1)
>>>> ipa: DEBUG: certmonger request is in state
>>>> dbus.String(u'POST_SAVED_CERT', variant_level=1)
>>>> ipa: DEBUG: certmonger request is in state
>>>> dbus.String(u'POST_SAVED_CERT', variant_level=1)
>>>> ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING',
>>>> variant_level=1)
>>>> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: modifying certmonger
>>>> request '20161204225818'
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> Certificate Nickname Trust
>>>> Attributes
>>>>
>>>> SSL,S/MIME,JAR/XPI
>>>>
>>>> KKGPITT.ORG IPA CA CT,C,C
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' '
>>>> KKGPITT.ORG IPA CA' '-a'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=-----BEGIN CERTIFICATE-----
>>>> MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtLS0dQ
>>>> SVRULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MTIw
>>>> NDIyNTczNFoXDTM2MTIwNDIyNTczNFowNjEUMBIGA1UECgwLS0tHUElUVC5PUkcx
>>>> HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
>>>> .
>>>
>>> .
>>>>
>>> BYuURWnoNBd110T0HFOnMOmN5ycnsMvCwCdUFuFKCsjNjCm5/oUCsWSVlad2bzlj
>>>> 7gvnv3d6YmXwTzpOlOHpMu/S7y+JU5ErM9fp97R/vUvBz/7CM0MOKBgXMvfKTu6X
>>>> PTROdl8lKofxA6TMvM+du020+o79dami0hWV/3cRN386huTDcWVn9gbud6hxX8U5
>>>> StsgHtJLlrm4tjLk8+S5VTDu9Y6EX7OsEX51RHwtrfNjEYdCa68AM2/slxdgf+5S
>>>> IQ==
>>>> -----END CERTIFICATE-----
>>>>
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-D' '-n' '
>>>> KKGPITT.ORG IPA CA'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' '
>>>> KKGPITT.ORG IPA CA' '-a'
>>>> ipa: DEBUG: Process finished, return code=255
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=certutil: Could not find cert: KKGPITT.ORG IPA CA
>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n'
>>>> 'IPA CA' '-a'
>>>> ipa: DEBUG: Process finished, return code=255
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA
>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n'
>>>> 'External CA cert' '-a'
>>>> ipa: DEBUG: Process finished, return code=255
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' '
>>>> KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n'
>>>> 'DSTRootCAX3' '-t' 'C,,'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' '
>>>> KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n'
>>>> 'DSTRootCAX3' '-t' 'C,,'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/update-ca-trust'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: INFO: Systemwide CA database updated.
>>>> ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args='/usr/bin/update-ca-trust'
>>>> ipa: DEBUG: Process finished, return code=0
>>>> ipa: DEBUG: stdout=
>>>> ipa: DEBUG: stderr=
>>>> ipa: INFO: Systemwide CA database updated.
>>>> ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate
>>>> command was successful
>>>> Directory Manager password:
>>>>
>>>> Installing CA certificate, please wait
>>>> Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's
>>>> Certificate issuer is not recognized. (visit
>>>> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
>>>> [jjflynn22 at ipa-1 ~]$
>>>>
>>>>
>>>>
>>>
>>>
>>> Hi,
>>>
>>> you seem to have an issue when the LetsEncryptAuthorityX3 is being
>>> installed. The certificate from the CA that issued this certificate
>>> (DSTRootCAX3) seems to be installed correctly. Could you verify that
>>> DSTRootCAX3 is marked as trusted CA by issuing:
>>>
>>> certutil -d /etc/httpd/alias/ -L
>>>
>>> The DSTRoootCAX3 should have C,, trust flags.
>>>
>>> There was an issue fixed last week that might caused this issue if
>>> you've ever tried to install letsencrypt on this particular VM before:
>>> https://github.com/freeipa/freeipa-letsencrypt/issues/1#issu
>>> ecomment-263546822 If that's the case, you will need to re-install IPA
>>> before the letsencrypt solution will work.
>>>
>>> I was not able to reproduce your issue with a clean machine.
>>>
>>> --
>>> Tomas Krizek
>>>
>>>
>>
>
> --
> Tomas Krizek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161205/154622a7/attachment.htm>
More information about the Freeipa-users
mailing list