I've finally had a chance to make this attempt and after running the clean up:
# python /usr/share/pki/scripts/restore-subsystem-user.py -v
Subsystem certificate: 2;4;CN=Certificate Authority,O=DOMAIN.TLD;CN=CA
Subsystem,O=DOMAIN.TLD
-----BEGIN CERTIFICATE-----
*snip*
-----END CERTIFICATE-----
User CA-ipa4.domain.tld-9443 has subsystem certificate
User already in Subsystem Group
User has the correct certificate mapping
Subsystem user CA-ipa4.domain.tld-9443 is OK
It was strange that it listed ipa4 since that is not one of our current CAs just a normal
replica. I'm guessing that it was likely a CA at one point but was converted.
Perhaps incorrectly?
# ipa-replica-prepare ipa5.domain.tld
Directory Manager (existing master) password:
Preparing replica for ipa5.domain.tld from ipa1.domain.tld
Creating SSL certificate for the Directory Server
ipa : ERROR cert validation failed for
"CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certificate has expired.)
preparation of replica failed: cannot connect to
'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
I know the cert wasn't expired prior to running these two commands. When I look at
ipa-getcert list all the expiry dates for requests in MONITORING status show 2019 unless
I'm looking in the wrong area.