Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote:
> So there are two possibilities here. One, "cn=Replication
Manager
> cloneAgreement1-fitch.<domain>-pki-tomcat,ou=csusers,cn=config" does
> not exist on the server, or two, you are using the wrong password for
> this entry in the replication agreement.
Perhaps the password has been corrupted. The agreements appear to be
there when I run the command listed below. These systems have been
running well for the past few years before this problem started
appearing. I have run the "ipa-replica-manage re-initialize" command,
but the pki-tomcatd service still continues to fail when trying to start
the service. Are there any additional steps you recommend?
certificate authentication is used for this connection so I'd check the
certs.
Try:
# getcert list -f /var/lib/ipa/ra-agent.pem
Is the cert still valid?
Get the serial #
# openssl x509 -text -in /var/lib/ipa/ra-agent.pem | grep Number:
Look at the equivalent entry in LDAP:
# ldapsearch -x -D 'cn=directory manager' -W -b
uid=ipara,ou=people,o=ipaca usercertificate description
The description attribute is in the form of
2;serial #;issuer;subject
Make sure the serial #'s match. For extra points compare the pem to that
of usercertificate (minus the header/footer)
rob
> [root@fitch ~]# ipa-replica-manage list fitch.<domain>
> Directory Manager password:
>
> kodiak.<domain>: replica
> piston.<domain>: replica
> tierod.<domain>: replica
*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529
On 05/09/2018 05:01 PM, Mark Reynolds via FreeIPA-users wrote:
> So there are two possibilities here. One, "cn=Replication Manager
> cloneAgreement1-fitch.<domain>-pki-tomcat,ou=csusers,cn=config" does
> not exist on the server, or two, you are using the wrong password for
> this entry in the replication agreement.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org