Running in debug mode definitely shows a recently expired cert and running it again this time only shows the correct hostname now unlike before.  Is this cert something that I can regenerate/renew?  I'll find out about getting a new host to test with as well.

[root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld
ipa         : DEBUG    importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa         : DEBUG    args=klist -V
ipa         : DEBUG    stdout=Kerberos 5 version 1.10.3

ipa         : DEBUG    stderr=
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa         : DEBUG    importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Directory Manager (existing master) password:

ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection context.ldap2_61017104
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Destroyed connection context.ldap2_61017104
ipa         : DEBUG    Search DNS for ipa2.domain.tld
ipa         : DEBUG    Check if ipa2.domain.tld. is not a CNAME
ipa         : DEBUG    Check reverse address of 192.168.1.11
ipa         : DEBUG    Found reverse name: ipa2.domain.tld
Preparing replica for ipa2.domain.tld from ipa1.domain.tld
ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUG    retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2c00758>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection context.ldap2_62965520
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Destroyed connection context.ldap2_62965520
ipa         : DEBUG    args=/usr/bin/PKCS12Export -d /var/lib/pki-ca/alias/ -p /tmp/tmpPl8m5I -w /tmp/tmpTv1GoU -o /root/cacert.p12
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection context.ldap2_62965520
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Destroyed connection context.ldap2_62965520
Creating SSL certificate for the Directory Server
ipa         : DEBUG    Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa         : DEBUG    Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa         : DEBUG    args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -N -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
ipa         : DEBUG    args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -A -n DOMAIN.TLD IPA CA -t CT,,C -a
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
ipa         : DEBUG    args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -R -s CN=ipa2.domain.tld,O=DOMAIN.TLD -o /var/lib/ipa/ipa-JGfpWu
/tmpcertreq -k rsa -g 2048 -z /tmp/tmpMhbi7sipa/realm_info/noise.txt -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt -a
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=

Generating key.  This may take a few moments...


ipa         : DEBUG    https_request 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient'
ipa         : DEBUG    https_request post 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICdjCCAV4CAQAwMTEQMA4GA1UEChMH
WkFZTy5VUzEdMBsGA1UEAxMUZGVuMDJ2%0D%0AbWlkbTAyLnpheW8udXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj%0D%0AGVwN6mATZGwEd19aRzDnG8HhED3Q2shjAxmf
0hreFdls079m1mdbRlUtFOWnVx%2Bx%0D%0AFS0BQZZn0dfNXeArYz0dBXw9Plo%2FzFcMaXjmwGGGGtdTqukdQT79vfvwH7k2mB1c%0D%0AbitykHqYvapI%2BzaMXjRTYwOBJzkxKFhwGl
QEt8lb3oqgJrCkyH11ldsDDo%2FMcnEI%0D%0AYua50OPKKnDZ9zdOx32wL7t1VM5FRhqV941R4MT7Y9fr7u3EdUbWNpa9hCQ8LTXs%0D%0Az2pU8%2Fu64Nnj%2FzP9vXXzx5YUSQK7NoUe
qOl0%2Ft%2F4h%2B8%2FXmmmKLfdu2aD%2Bp%2BzGBYG%0D%0ApkFLT2oZLk7XOFc5xGmrAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAb%2FkkLjcr%0D%0Ay9XLuzePw59UxpOeCQSdCr
ET2e6Uy3rEglo5%2F8HcQbdaeCrOfwKyjbmUjJnCXptM%0D%0As6xW%2FOtNU1Xqt7fUJpxTgKDX%2Fsz5gWejuIQyAT20qnxsg8aHz0L7LxrlumW1eCMg%0D%0Af1kIXwLWzfQntBtaEFyN
aJx6wEZTXQboKbZqSB281BH96dJF1szaD7nPKCo4ZFfA%0D%0AwKaJbIM89cjQvYjA9utatlqEK0g2CZnc8YtKauTmZz%2FV7W%2B3jpVV1XfgoChVmr%2FV%0D%0A%2BN0czdeA93Ie9jBB
7ZOAko2BCLuPAc2z4w0K1VF4DXBA4slf2AD%2F29xCnv1nYbzZ%0D%0AfuhOgnfI8PIdQw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true'
ipa         : DEBUG    NSSConnection init ipa1.domain.tld
ipa         : DEBUG    Connecting: 192.168.1.10:0
ipa         : DEBUG    auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 804978690 (0x2ffb0002)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=DOMAIN.TLD
        Validity:
            Not Before: Tue Oct 06 21:27:25 2015 UTC
            Not After:  Mon Sep 25 21:27:25 2017 UTC
        Subject: CN=ipa1.domain.tld,O=DOMAIN.TLD
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d0:7d:e0:36:af:0c:c5:03:ea:ea:1e:57:35:50:93:ec:
                    77:97:79:79:fe:7a:4c:14:e9:08:6a:2e:71:3e:fe:14:
                    55:cd:e5:97:cf:40:31:e1:f1:c4:fb:d9:a8:81:ce:d1:
                    76:59:80:7c:65:c2:45:c2:06:69:a0:91:96:51:c6:4e:
                    e1:01:42:a0:6f:99:c3:80:83:69:49:8f:f9:7c:88:f2:
                    20:4a:df:85:d1:a3:01:e4:78:72:51:13:4c:d8:6b:e8:
                    06:1f:cb:2b:40:94:c7:9a:14:55:85:58:2b:6a:f9:4a:
                    d8:3b:b6:78:a6:d4:bf:04:cf:69:12:9e:e7:58:a4:6b:
                    11:55:f7:8a:8f:dd:00:7e:7b:e5:5e:f9:29:0a:9d:dd:
                    d0:ed:fa:ce:e1:c8:27:15:d2:01:b4:3a:fb:8c:33:1b:
                    66:ff:ce:2d:83:01:44:56:d0:0c:8b:7a:77:3d:d1:c1:
                    14:f0:0f:15:38:8e:68:f6:aa:5b:99:b3:1e:ef:53:03:
                    53:af:b4:c7:a8:c0:84:06:f8:0e:27:12:5a:e2:b8:29:
                    ba:0d:b5:0c:af:4c:b6:06:22:76:9d:6a:71:5d:96:41:
                    4c:c8:c1:3f:0a:40:0a:57:eb:5e:7c:6d:a1:d7:1c:22:
                    60:07:7a:08:c3:9e:d4:cb:1d:20:c3:b9:65:07:c8:39
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (4 total)
        Name:     Certificate Authority Key Identifier
        Critical: False
        Key ID:
            df:e2:06:f2:94:98:29:17:5a:0f:65:e5:df:eb:0b:c3:
            7d:d0:4b:0f
        Serial Number: None
        General Names: [0 total]

        Name:     Authority Information Access
        Critical: False
        Authority Information Access: [1 total]
            Info [1]:
                Method:   PKIX Online Certificate Status Protocol
                Location: URI: http://ipa1.domain.tld:80/ca/ocsp

        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature:
            a0:98:8f:04:39:d9:57:fd:96:3f:e4:d3:29:7a:df:37:
            6d:30:c0:d2:3c:af:0f:a0:9f:c0:dc:38:61:84:a7:b5:
            e0:db:6a:4a:9d:44:3b:45:04:2b:87:d1:fb:d5:5b:d4:
            7f:24:3c:db:80:1e:9d:65:1d:09:5a:6a:3e:15:e0:8a:
            e9:60:e8:ef:c3:c9:92:fe:a6:df:54:dc:e7:d9:52:c9:
            93:10:a9:b4:12:b3:fb:34:fb:f8:c1:43:a1:2e:71:c6:
            70:aa:c3:4e:2f:c3:d9:56:ba:9b:b8:14:c5:2b:e7:f2:
            64:bb:0b:59:99:9c:85:0e:4f:04:54:1e:cf:53:a2:ae:
            4e:72:29:37:cb:53:c1:e4:61:26:0d:68:df:34:86:29:
            4a:7e:00:4a:a0:70:06:e8:cb:f4:78:f6:cb:5e:a2:2e:
            73:73:51:18:0e:a5:b3:3a:6c:e6:c8:11:aa:18:21:a5:
            d3:85:a0:01:6b:39:90:aa:38:6c:6b:33:b0:f2:89:4a:
            e0:2d:51:c7:e7:9b:a7:63:cf:4a:af:17:ed:da:2f:0d:
            63:81:61:24:b0:d9:db:44:eb:aa:c0:d1:d3:4e:51:60:
            92:70:39:a8:39:45:bc:ca:97:bf:cd:9f:02:38:ec:6e:
            15:2f:5c:b2:c6:77:de:d6:8d:3e:76:5c:14:34:f5:69
        Fingerprint (MD5):
            fd:4d:92:51:bb:e0:5e:34:8c:83:e4:43:a0:d3:1f:21
        Fingerprint (SHA1):
            47:4e:12:b6:5a:12:b8:85:b3:c8:53:09:9e:5f:97:a0:
            65:ea:cd:1f
ipa         : ERROR    cert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Pee
r's Certificate has expired.
ipa         : DEBUG    cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Cert
ificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 400, in main
    export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
    raise e

cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 400, in main
    export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
    raise e


On Thu, Nov 16, 2017 at 5:16 PM, Fraser Tweedale <ftweedal@redhat.com> wrote:
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote:
> john.bowman--- via FreeIPA-users wrote:
> > Still looking for any ideas on this one so giving it a bump.
>
> Next time please don't wipe out all the context.
>
> Fraser, it seems to be having a problem connecting to the security domain.
>
> The full thread is at
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/
>
> rob
>
For the security domain connection problems, a fix was released in
Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3).

As for the expired certificates problem, I'm not sure about that.
More logs would be helpful.  But perhaps start over again with a
fresh host for the replica, and run the latest pki builds (Fedora 27
was just released and it has Dogtag 10.5.1).

Cheers,
Fraser



--
John Bowman
System Engineer
4500 S 129th East Avenue,
Suite 132
Tulsa, OK 74134

(c) 918.633.4191
(o) 918.295.7043

john.bowman@zayo.com