[Freeipa-users] My IPA installation doesn't work after upgrade
Rob Crittenden
rcritten at redhat.com
Fri Nov 18 14:43:29 UTC 2016
Morgan Marodin wrote:
> It works!
> Thanks for your support.
>
> Anyway, I will try to update againt mod_nss package! :D
Glad it's working for you. I'm curious what the backup database was for.
Did you create that?
rob
> Bye!
>
>
> 2016-11-18 15:21 GMT+01:00 Morgan Marodin <morgan at marodin.it
> <mailto:morgan at marodin.it>>:
>
> A little good news.
>
> Downgrading the /mod_nss/ RPM package, and restoring the original
> //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
> finished well:
> /# ipa-server-upgrade
> Upgrading IPA:
> [1/10]: stopping directory server
> [2/10]: saving configuration
> [3/10]: disabling listeners
> [4/10]: enabling DS global lock
> [5/10]: starting directory server
> [6/10]: updating schema
> [7/10]: upgrading server
> [8/10]: stopping directory server
> [9/10]: restoring configuration
> [10/10]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> [Removing self-signed CA]
> [Removing Dogtag 9 CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Checking global forwarding policy in named.conf to avoid conflicts
> with automatic empty zones]
> Global forward policy in named.conf will be changed to "only" to
> avoid conflicts with automatic empty zones
> [Adding server_id to named.conf]
> Changes to named.conf have been made, restart named
> Custodia service is being configured
> Configuring ipa-custodia
> [1/5]: Generating ipa-custodia config file
> [2/5]: Making sure custodia container exists
> [3/5]: Generating ipa-custodia keys
> [4/5]: starting ipa-custodia
> [5/5]: configuring ipa-custodia to start on boot
> Done configuring ipa-custodia.
> [Upgrading CA schema]
> CA schema update complete
> [Verifying that CA audit signing cert has 2 year validity]
> [Update certmonger certificate renewal configuration to version 5]
> Configuring certmonger to stop tracking system certificates for CA
> Certmonger certificate renewal configuration updated to version 5
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> [Authorizing RA Agent to modify profiles]
> [Authorizing RA Agent to manage lightweight CAs]
> [Ensuring Lightweight CAs container exists in Dogtag database]
> [Adding default OCSP URI configuration]
> pki-tomcat configuration changed, restart pki-tomcat
> [Ensuring CA is using LDAPProfileSubsystem]
> [Migrating certificate profiles to LDAP]
> [Ensuring presence of included profiles]
> [Add default CA ACL]
> Default CA ACL already added
> [Set up lightweight CA key retrieval]
> Creating principal
> Retrieving keytab
> Creating Custodia keys
> Configuring key retriever
> The IPA services were upgraded
> The ipa-server-upgrade command was successful/
>
> And Apache has started, BUT there is a problem with the web certificate:
> /# tail -f /var/log/httpd/error_log
> [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to
> child 2 established (server mlv-ipa01.ipa.mydomain.com:443
> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)
> [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input
> filter read failed.
> [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library
> Error: -12285 Unable to find the certificate or key necessary for
> authentication
> [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to
> child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)/
>
> How do you suggest to go on with my issue?
>
> Thanks, Morgan
>
> 2016-11-18 12:11 GMT+01:00 Morgan Marodin <morgan at marodin.it
> <mailto:morgan at marodin.it>>:
>
> I've tried to add it to a new test folder, with a new
> certificate nickname, and then to replace it to /nss.conf/.
>
> But the problem persists:
> /# certutil -V -u V -d /etc/httpd/test -n ipa01cert
> certutil: certificate is valid/
>
> /# tail -f /var/log/httpd/error_log
> /
> /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552]
> AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert
> [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The
> server key database has not been initialized.
> [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
> Configuring server for SSL protocol
> ...
> [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using
> nickname ipa01cert.
> [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552]
> Certificate not found: 'ipa01cert'/
>
> I've found this guide:/
> Combine the server cert and key into a single file
> # cp localhost.crt > Server-Cert.txt
> # cat localhost.key >> Server-Cert.txt
> Convert the server cert into a p12 file
> # openssl pkcs12 -export -in Server-Cert.txt -out
> Server-Cert.p12 -name "Server-Cert"
> Now Import the Public and Private keys into the database at the
> same time.
> #pk12util -i /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias
> -n Server-Cert/
>
> Where is stored the key certificate file?
>
> Thanks, Morgan
>
>
> 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>>:
>
> On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>
> Hi Florence.
>
> I've tried to configure the wrong certificate in
> nss.conf (/ipaCert/),
> and with this Apache started.
> So I think the problem is in the /Server-Cert/ stored in
> //etc/httpd/alias/, even if all manul checks are ok.
>
> These are logs with the wrong certificate test:
> /# tail -f /var/log/httpd/error_log/
> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid
> 7709] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>> -> ipaCert
>
> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709]
> Configuring server
> for SSL protocol
> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
> permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
> ...
> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
> nss_engine_init.c(1140): Enable cipher:
> ecdhe_rsa_aes_128_gcm_sha_256
> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709]
> Using nickname ipaCert.
> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709]
> Misconfiguration
> of certificate's CN and virtual name. The certificate CN
> has IPA RA. We
> expected mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
> as virtual name.
> [Fri Nov 18 09:34:33.028056 2016 <tel:028056%202016>]
> [auth_digest:notice] [pid 7709]
> AH01757: generating secret for digest authentication ...
> [Fri Nov 18 09:34:33.030039 2016 <tel:030039%202016>]
> [lbmethod_heartbeat:notice] [pid 7709]
> AH02282: No slotmem from mod_heartmonitor
> [Fri Nov 18 09:34:33.030122 2016 <tel:030122%202016>]
> [:warn] [pid 7709]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Fri Nov 18 09:34:33.030176 2016 <tel:030176%202016>]
> [:debug] [pid 7709]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>> -> ipaCert
>
> [Fri Nov 18 09:34:33.051481 2016 <tel:051481%202016>]
> [mpm_prefork:notice] [pid 7709]
> AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0
> mod_auth_kerb/5.4
> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4
> Python/2.7.5 configured
> -- resuming normal operations
> [Fri Nov 18 09:34:33.051551 2016 <tel:051551%202016>]
> [core:notice] [pid 7709] AH00094:
> Command line: '/usr/sbin/httpd -D FOREGROUND'
> [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
> proxy_util.c(1838): AH00924: worker ajp://localhost
> shared already
> initialized
> [Fri Nov 18 09:34:33.096163 2016 <tel:096163%202016>]
> [proxy:debug] [pid 7717]
> proxy_util.c(1880): AH00926: worker ajp://localhost
> local already
> initialized
> ...
> [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
> proxy_util.c(1838): AH00924: worker
> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
> shared already
> initialized
> [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
> proxy_util.c(1880): AH00926: worker
> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
> local already
> initialized
> [Fri Nov 18 09:34:33.342762 2016 <tel:342762%202016>]
> [:info] [pid 7717] Configuring server
> for SSL protocol
> [Fri Nov 18 09:34:33.342867 2016 <tel:342867%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Fri Nov 18 09:34:33.342880 2016 <tel:342880%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Fri Nov 18 09:34:33.342885 2016 <tel:342885%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Fri Nov 18 09:34:33.342890 2016 <tel:342890%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Fri Nov 18 09:34:33.342894 2016 <tel:342894%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Fri Nov 18 09:34:33.342900 2016 <tel:342900%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Fri Nov 18 09:34:33.342904 2016 <tel:342904%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Fri Nov 18 09:34:33.342917 2016 <tel:342917%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
> permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Fri Nov 18 09:34:33.342970 2016 <tel:342970%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
> ...
> [Fri Nov 18 09:34:33.343233 2016 <tel:343233%202016>]
> [:debug] [pid 7717]
> nss_engine_init.c(1140): Enable cipher:
> ecdhe_rsa_aes_128_gcm_sha_256
> [Fri Nov 18 09:34:33.343237 2016 <tel:343237%202016>]
> [:info] [pid 7717] Using nickname ipaCert.
> [Fri Nov 18 09:34:33.344533 2016 <tel:344533%202016>]
> [:error] [pid 7717] Misconfiguration
> of certificate's CN and virtual name. The certificate CN
> has IPA RA. We
> expected mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
>
> as virtual name.
> [Fri Nov 18 09:34:33.364061 2016 <tel:364061%202016>]
> [:info] [pid 7718] Configuring server
> for SSL protocol
> [Fri Nov 18 09:34:33.364156 2016 <tel:364156%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Fri Nov 18 09:34:33.364167 2016 <tel:364167%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Fri Nov 18 09:34:33.364172 2016 <tel:364172%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Fri Nov 18 09:34:33.364176 2016 <tel:364176%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Fri Nov 18 09:34:33.364180 2016 <tel:364180%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Fri Nov 18 09:34:33.364187 2016 <tel:364187%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Fri Nov 18 09:34:33.364191 2016 <tel:364191%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Fri Nov 18 09:34:33.364202 2016 <tel:364202%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
> permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Fri Nov 18 09:34:33.364240 2016 <tel:364240%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
> ...
> [Fri Nov 18 09:34:33.364611 2016 <tel:364611%202016>]
> [:debug] [pid 7718]
> nss_engine_init.c(1140): Enable cipher:
> ecdhe_rsa_aes_128_gcm_sha_256
> [Fri Nov 18 09:34:33.364625 2016 <tel:364625%202016>]
> [:info] [pid 7718] Using nickname ipaCert.
> [Fri Nov 18 09:34:33.365549 2016 <tel:365549%202016>]
> [:error] [pid 7718] Misconfiguration
> of certificate's CN and virtual name. The certificate CN
> has IPA RA. We
> expected mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
>
> as virtual name.
> [Fri Nov 18 09:34:33.369972 2016 <tel:369972%202016>]
> [:info] [pid 7720] Configuring server
> for SSL protocol
> [Fri Nov 18 09:34:33.370200 2016 <tel:370200%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Fri Nov 18 09:34:33.370224 2016 <tel:370224%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Fri Nov 18 09:34:33.370239 2016 <tel:370239%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Fri Nov 18 09:34:33.370255 2016 <tel:370255%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Fri Nov 18 09:34:33.370269 2016 <tel:370269%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Fri Nov 18 09:34:33.370286 2016 <tel:370286%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Fri Nov 18 09:34:33.370301 2016 <tel:370301%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Fri Nov 18 09:34:33.370322 2016 <tel:370322%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
> permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Fri Nov 18 09:34:33.370383 2016 <tel:370383%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
> ...
> [Fri Nov 18 09:34:33.371418 2016 <tel:371418%202016>]
> [:debug] [pid 7720]
> nss_engine_init.c(1140): Enable cipher:
> ecdhe_rsa_aes_128_gcm_sha_256
> [Fri Nov 18 09:34:33.371437 2016 <tel:371437%202016>]
> [:info] [pid 7720] Using nickname ipaCert.
> [Fri Nov 18 09:34:33.371486 2016 <tel:371486%202016>]
> [:info] [pid 7716] Configuring server
> for SSL protocol
> [Fri Nov 18 09:34:33.372383 2016 <tel:372383%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Fri Nov 18 09:34:33.372439 2016 <tel:372439%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Fri Nov 18 09:34:33.372459 2016 <tel:372459%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Fri Nov 18 09:34:33.372484 2016 <tel:372484%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Fri Nov 18 09:34:33.372513 2016 <tel:372513%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Fri Nov 18 09:34:33.372534 2016 <tel:372534%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Fri Nov 18 09:34:33.372553 2016 <tel:372553%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Fri Nov 18 09:34:33.372580 2016 <tel:372580%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
> permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Fri Nov 18 09:34:33.372627 2016 <tel:372627%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
> ...
> [Fri Nov 18 09:34:33.373712 2016 <tel:373712%202016>]
> [:debug] [pid 7716]
> nss_engine_init.c(1140): Enable cipher:
> ecdhe_rsa_aes_128_gcm_sha_256
> [Fri Nov 18 09:34:33.373734 2016 <tel:373734%202016>]
> [:info] [pid 7716] Using nickname ipaCert.
> [Fri Nov 18 09:34:33.374652 2016 <tel:374652%202016>]
> [:error] [pid 7716] Misconfiguration
> of certificate's CN and virtual name. The certificate CN
> has IPA RA. We
> expected mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
> as virtual name.
> [Fri Nov 18 09:34:33.372295 2016 <tel:372295%202016>]
> [:error] [pid 7720] Misconfiguration
> of certificate's CN and virtual name. The certificate CN
> has IPA RA. We
> expected mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
>
> as virtual name.
> [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719]
> Configuring server
> for SSL protocol
> [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
> permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
> ...
> [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]
> nss_engine_init.c(1140): Enable cipher:
> ecdhe_rsa_aes_128_gcm_sha_256
> [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719]
> Using nickname ipaCert.
> [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719]
> Misconfiguration
> of certificate's CN and virtual name. The certificate CN
> has IPA RA. We
> expected mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
> as virtual name.
> [Fri Nov 18 09:34:35.558286 2016 <tel:558286%202016>]
> [:error] [pid 7715] ipa: WARNING:
> session memcached servers not running
> [Fri Nov 18 09:34:35.559653 2016 <tel:559653%202016>]
> [:error] [pid 7714] ipa: WARNING:
> session memcached servers not running
> [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714]
> ipa: INFO: ***
> PROCESS START ***
> [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715]
> ipa: INFO: ***
> PROCESS START ***
> [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717]
> Connection to child
> 1 established (server mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>, client 192.168.0.239)
> [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL
> input filter
> read failed.
> [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717]
> SSL Library Error:
> -12285 Unable to find the certificate or key necessary
> for authentication
> [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717]
> Connection to child
> 1 closed (server mlv-ipa01.ipa.mydomain.com:443
> <http://mlv-ipa01.ipa.mydomain.com:443>
> <http://mlv-ipa01.ipa.mydomain.com:443
> <http://mlv-ipa01.ipa.mydomain.com:443>>, client
> 192.168.0.239)
> [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice]
> [pid 7709]
> AH00170: caught SIGWINCH, shutting down gracefully/
>
> Is possible to delete /Server-Cert/ from
> //etc/httpd/alias/ and reimport
> it from the original certificates of
> /mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>/?
> Where are stored the original certificates?
>
> Hi Morgan,
>
> with ldapsearch you should be able to find the certificate:
> ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory
> manager" -w password -LLL -b
> krbprincipalname=HTTP/ipaserver.ipadomain at IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN
>
> The cert will be stored in the field "usercertificate".
>
> HTH,
> Flo.
>
> Please let me know, thanks.
> Bye, Morgan
>
> 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud
> <flo at redhat.com <mailto:flo at redhat.com>
> <mailto:flo at redhat.com <mailto:flo at redhat.com>>>:
>
>
> On 11/17/2016 04:51 PM, Morgan Marodin wrote:
>
> Hi Rob.
>
> I've just tried to remove the group write to the
> *.db files, but
> it's
> not the problem.
> /[root at mlv-ipa01 ~]# grep NSSNickname
> /etc/httpd/conf.d/nss.conf
> NSSNickname Server-Cert/
>
> I've tried to run manually /dirsrv.target/ and
> /krb5kdc.service/, and it
> works, services went up.
> The same for /ntpd/, /named-pkcs11.service/,
> /smb.service/,
> /winbind.service/, /kadmin.service/,
> /memcached.service/ and
> /pki-tomcatd.target/.
>
> But if I try to start /httpd.service/:
> /[root at mlv-ipa01 ~]# tail -f /var/log/messages
> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting
> The Apache HTTP
> Server...
> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy:
> ipa :
> INFO KDC
> proxy enabled
> Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> httpd.service: main process
> exited, code=exited, status=1/FAILURE
> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot
> find process ""
> Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> httpd.service: control process
> exited, code=exited status=1
> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to
> start The Apache
> HTTP
> Server.
> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
> httpd.service entered
> failed
> state.
> Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> httpd.service failed./
>
> Any other ideas?
>
> Hi,
>
> - Does the NSS Db contain the private key for
> Server-Cert? If yes,
> the command
> $ certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
> should display a line like this one:
> < 0> rsa
> 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS
> Certificate DB:Server-Cert
>
> - Is your system running with SElinux enforcing? If
> yes, you can
> check if there were SElinux permission denials using
> $ ausearch -m avc --start recent
>
> - If the certificate was expired, I believe you
> would see a
> different message, but it doesn't hurt to check its
> validity
> $ certutil -L -d /etc/httpd/alias/ -n Server-Cert |
> egrep "Not
> Before|Not After"
>
>
> Flo.
>
>
> Please let me know, thanks.
> Morgan
>
> 2016-11-17 16:11 GMT+01:00 Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>
> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>>>:
>
>
>
> Morgan Marodin wrote:
> > Hi Florence.
> >
> > Thanks for your support.
> >
> > Yes, httpd is using /etc/httpd/alias as
> NSS DB. And seems
> that all
> > permissions and certificates are good:
> > /[root at mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> > total 184
> > -r--r--r-- 1 root root 1345 Sep 7
> 2015 cacert.asc
> > -rw-rw---- 1 root apache 65536 Nov 17
> 11:06 cert8.db
> > -rw-r-----. 1 root apache 65536 Sep 4
> 2015 cert8.db.orig
> > -rw-------. 1 root root 4833 Sep 4
> 2015 install.log
> > -rw-rw---- 1 root apache 16384 Nov 17
> 11:06 key3.db
> > -rw-r-----. 1 root apache 16384 Sep 4
> 2015 key3.db.orig
> > lrwxrwxrwx 1 root root 24 Nov 17
> 10:24 libnssckbi.so ->
> > /usr/lib64/libnssckbi.so
> > -rw-rw---- 1 root apache 20 Sep 7
> 2015 pwdfile.txt
> > -rw-rw---- 1 root apache 16384 Sep 7
> 2015 secmod.db
> > -rw-r-----. 1 root apache 16384 Sep 4
> 2015 secmod.db.orig/
>
> Eventually you'll want to remove group write
> on the *.db files.
>
> > And password validations seems ok, too:
> > /[root at mlv-ipa01 ~]# certutil -K -d
> /etc/httpd/alias/ -f
> > /etc/httpd/alias/pwdfile.txt
> good
>
> > Enabling mod-nss debug I can see these logs:
> > /[root at mlv-ipa01 ~]# tail -f
> /var/log/httpd/error_log
> > [Thu Nov 17 15:05:10.807603 2016]
> [suexec:notice] [pid
> 10660] AH01232:
> > suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> > [Thu Nov 17 15:05:10.807958 2016] [:warn]
> [pid 10660]
> > NSSSessionCacheTimeout is deprecated.
> Ignoring.
> > [Thu Nov 17 15:05:10.807991 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(454): SNI:
> mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>>
> > <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>
>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com>>>> -> Server-Cert
> > [Thu Nov 17 15:05:11.002664 2016] [:info]
> [pid 10660]
> Configuring server
> > for SSL protocol
> > [Thu Nov 17 15:05:11.002817 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(770): NSSProtocol:
> Enabling TLSv1.0
> > [Thu Nov 17 15:05:11.002838 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(775): NSSProtocol:
> Enabling TLSv1.1
> > [Thu Nov 17 15:05:11.002847 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(780): NSSProtocol:
> Enabling TLSv1.2
> > [Thu Nov 17 15:05:11.002856 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(839): NSSProtocol: [TLS
> 1.0] (minimum)
> > [Thu Nov 17 15:05:11.002876 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(866): NSSProtocol: [TLS
> 1.2] (maximum)
> > [Thu Nov 17 15:05:11.003099 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(906): Disabling TLS
> Session Tickets
> > [Thu Nov 17 15:05:11.003198 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(916): Enabling DHE key
> exchange
> > [Thu Nov 17 15:05:11.003313 2016] [:debug]
> [pid 10660]
> > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> permitted SSL
> > ciphers
> >
>
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > [Thu Nov 17 15:05:11.003469 2016] [:debug]
> [pid 10660]
> > [Thu Nov 17 15:05:11.006759 2016] [:info]
> [pid 10660]
> Using nickname
> > Server-Cert.
> [snip]
> > [Thu Nov 17 15:05:11.006771 2016] [:error]
> [pid 10660]
> Certificate not
> > found: 'Server-Cert'
>
> Can you shows what this returns:
>
> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>
> > Do you think there is a kerberos problem?
>
> It definitely is not.
>
> You can bring the system up in a minimal way
> by manually
> starting the
> dirsrv at EXAMPLE.COM
> <mailto:dirsrv at EXAMPLE.COM> <mailto:dirsrv at EXAMPLE.COM
> <mailto:dirsrv at EXAMPLE.COM>>
> <mailto:dirsrv at EXAMPLE.COM
> <mailto:dirsrv at EXAMPLE.COM> <mailto:dirsrv at EXAMPLE.COM
> <mailto:dirsrv at EXAMPLE.COM>>> service
>
> and then
> krb5kdc. This will at least let your
> users authenticate. The management framework
> (GUI) runs
> through Apache
> so that will be down until we can get Apache
> started again.
>
> rob
>
> >
> > Please let me know, thanks.
> > Bye, Morgan
> >
> > 2016-11-17 14:39 GMT+01:00 Florence
> Blanc-Renaud
> <flo at redhat.com <mailto:flo at redhat.com>
> <mailto:flo at redhat.com <mailto:flo at redhat.com>>
> <mailto:flo at redhat.com <mailto:flo at redhat.com>
> <mailto:flo at redhat.com <mailto:flo at redhat.com>>>
> > <mailto:flo at redhat.com
> <mailto:flo at redhat.com> <mailto:flo at redhat.com
> <mailto:flo at redhat.com>>
> <mailto:flo at redhat.com <mailto:flo at redhat.com>
> <mailto:flo at redhat.com <mailto:flo at redhat.com>>>>>:
>
> >
> > On 11/17/2016 12:09 PM, Morgan Marodin
> wrote:
> >
> > Hello.
> >
> > This morning I've tried to upgrade
> my IPA server,
> but the
> upgrade
> > failed, and now the service
> doesn't start! :(
> >
> > If I try lo launch the upgrade
> manually this is
> the output:
> > /[root at mlv-ipa01 download]#
> ipa-server-upgrade
> >
> > Upgrading IPA:
> > [1/8]: saving configuration
> > [2/8]: disabling listeners
> > [3/8]: enabling DS global lock
> > [4/8]: starting directory server
> > [5/8]: updating schema
> > [6/8]: upgrading server
> > [7/8]: stopping directory server
> > [8/8]: restoring configuration
> > Done.
> > Update complete
> > Upgrading IPA services
> > Upgrading the configuration of the
> IPA services
> > [Verifying that root certificate
> is published]
> > [Migrate CRL publish directory]
> > CRL tree already moved
> > [Verifying that CA proxy
> configuration is correct]
> > [Verifying that KDC configuration
> is using ipa-kdb
> backend]
> > [Fix DS schema file syntax]
> > Syntax already fixed
> > [Removing RA cert from DS NSS
> database]
> > RA cert already removed
> > [Enable sidgen and extdom plugins
> by default]
> > [Updating HTTPD service IPA
> configuration]
> > [Updating mod_nss protocol versions]
> > Protocol versions already updated
> > [Updating mod_nss cipher suite]
> > [Fixing trust flags in
> /etc/httpd/alias]
> > Trust flags already processed
> > [Exporting KRA agent PEM file]
> > KRA is not enabled
> > IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log
> and run
> > command ipa-server-upgrade manually.
> > Unexpected error - see
> /var/log/ipaupgrade.log for
> details:
> > CalledProcessError: Command
> '/bin/systemctl start
> httpd.service'
> > returned non-zero exit status 1
> > The ipa-server-upgrade command
> failed. See
> > /var/log/ipaupgrade.log for
> > more information/
> >
> > These are error logs of Apache:
> > /[Thu Nov 17 11:48:45.498510 2016]
> [suexec:notice]
> [pid 5664]
> > AH01232:
> > suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> > [Thu Nov 17 11:48:45.499220 2016]
> [:warn] [pid 5664]
> > NSSSessionCacheTimeout is
> deprecated. Ignoring.
> > [Thu Nov 17 11:48:45.830910 2016]
> [:error] [pid 5664]
> > Certificate not
> > found: 'Server-Cert'/
> >
> > The problem seems to be the
> /Server-Cert /that
> could not
> be found.
> > But if I try to execute the
> certutil command
> manually I
> can see it:/
> > [root at mlv-ipa01 log]# certutil -L
> -d /etc/httpd/alias/
> > Certificate Nickname
> Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> > Signing-Cert
> u,u,u
> > ipaCert
> u,u,u
> > Server-Cert
> Pu,u,u
> > IPA.MYDOMAIN.COM
> <http://IPA.MYDOMAIN.COM> <http://IPA.MYDOMAIN.COM>
> <http://IPA.MYDOMAIN.COM>
> <http://IPA.MYDOMAIN.COM>
> > <http://IPA.MYDOMAIN.COM> IPA
> > CA
> CT,C,C/
> >
> > Could you help me?
> > What could I try to do to restart
> my service?
> >
> > Hi,
> >
> > I would first make sure that httpd is
> using
> /etc/httpd/alias
> as NSS
> > DB (check the directive
> NSSCertificateDatabase in
> > /etc/httpd/conf.d/nss.conf).
> > Then it may be a file permission
> issue: the NSS DB should
> belong to
> > root:apache (the relevant files are
> cert8.db, key3.db and
> secmod.db).
> > You should also find a pwdfile.txt in
> the same directory,
> containing
> > the NSS DB password. Check that the
> password is valid
> using
> > certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
> > (if the command succeeds then the
> password in pwdfile
> is OK).
> >
> > You can also enable mod-nss debug in
> /etc/httpd/conf/nss.conf by
> > setting "LogLevel debug", and check
> the output in
> > /var/log/httpd/error_log.
> >
> > HTH,
> > Flo.
> >
> > Thanks, Morgan
> >
> >
> >
> > --
> > Manage your subscription for the
> Freeipa-users mailing
> list:
> >
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
> >
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>>>
> > Go to http://freeipa.org for more info
> on the project
> >
> >
>
More information about the Freeipa-users
mailing list