Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches
ra-agent.pem.
Removed, only the matching one remains.
You also suggested earlier to update that entry in the IPA DIT under
`cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA
master in the topology (the one you're working on) you can ignore
this. Otherwise you should either update its userCertificate value
with the content of ra_agent.pem, OR you can simply delete the
entry.
Do this all while the clock is set back to when the certs are all
valid. Then restart IPA; confirm that all the components start
properly, then attempt to renew the service certificates.
Done, ipactl status report everything running, but certificates don't renew.
Looking at certmonger (in debug mod) I can see:
"Server at
https://idc01.linux.unicloudidattica.local/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed with
status 500: Non-2xx response from CA REST API: 500. ).
Server at
https://idc02.linux.unicloudidattica.local/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining: Failed connect to
idc02.linux.unicloudidattica.local:443; Connection refused).
"
2018-01-08 01:03:31 [21961] Certificate not (yet?) issued.
2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state
'CA_UNREACHABLE'
even after a getcert resubmit -i 20171205091409
Have I to try to remove/re-add monitoring from certmonger for service
certificates?
See how you go with that. Hopefully it will be progress, at least.
Cheers,
Fraser
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Giulio Casella giulio at di.unimi.it
System and network architect
Computer Science Dept. - University of Milano