Harald Dunkel via FreeIPA-users wrote:
Hi Rob,
On 7/17/19 9:27 PM, Rob Crittenden via FreeIPA-users wrote:
>
> The renewal certificates are passed via the main IPA backend. Check to
> see if that replication is working.
>
It is not:
[root@ipa1 ~]# ipa-csreplica-manage list -v ipa0.example.de
Directory Manager password:
ipa1.example.de
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP
error: Connect error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
The others show connection errors as well. ipa-replica-manage (without
"cs") doesn't mention any connection problems.
Right, it is the second one I asked about. This is where the replication
of the renewed certificates happen.
Look in cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com to see if the
updated certificates are there. If they are then try to manually
resubmit the certmonger tracking for it.
For example, for the subsystem cert you'd do something like:
# getcert resubmit -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert
cert-pki-ca'
This should cause it to pull the updated cert from LDAP and apply it
locally.
Logging will go to the journal.
rob
Is it possible that these connection errors occur *because* the
new certificate is not installed yet, and because the old certificate
is not trusted anymore?
Please note also that pki-tomcatd refuses to start on any host except
for ipa1. Error message: Authentication error. See below for the debug
log. Might be unrelated.
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...