Running in debug mode definitely shows a recently expired cert and running it again this time only shows the correct hostname now unlike before. Is this cert something that I can regenerate/renew? I'll find out about getting a new host to test with as well.
[root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld
ipa : DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa : DEBUG args=klist -V
ipa : DEBUG stdout=Kerberos 5 version 1.10.3
ipa : DEBUG stderr=
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_61017104
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_61017104
ipa : DEBUG Search DNS for ipa2.domain.tld
ipa : DEBUG Check if ipa2.domain.tld. is not a CNAME
ipa : DEBUG Check reverse address of 192.168.1.11
ipa : DEBUG Found reverse name: ipa2.domain.tld
Preparing replica for ipa2.domain.tld from ipa1.domain.tld
ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2c00758>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520
ipa : DEBUG args=/usr/bin/PKCS12Export -d /var/lib/pki-ca/alias/ -p /tmp/tmpPl8m5I -w /tmp/tmpTv1GoU -o /root/cacert.p12
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520
Creating SSL certificate for the Directory Server
ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -N -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -A -n DOMAIN.TLD IPA CA -t CT,,C -a
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -R -s CN=ipa2.domain.tld,O=DOMAIN.TLD -o /var/lib/ipa/ipa-JGfpWu
/tmpcertreq -k rsa -g 2048 -z /tmp/tmpMhbi7sipa/realm_info/noise.txt -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt -a
ipa : DEBUG stdout=
ipa : DEBUG stderr=
Generating key. This may take a few moments...
ipa : DEBUG https_request post 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICdjCCAV4CAQAwMTEQMA4GA1UEChMH
WkFZTy5VUzEdMBsGA1UEAxMUZGVuMDJ2%0D%0AbWlkbTAyLnpheW8udXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj%0D%0AGVwN6mATZGwEd19aRzDnG8HhED3Q2shjAxmf
0hreFdls079m1mdbRlUtFOWnVx%2Bx%0D%0AFS0BQZZn0dfNXeArYz0dBXw9Plo%2FzFcMaXjmwGGGGtdTqukdQT79vfvwH7k2mB1c%0D%0AbitykHqYvapI%2BzaMXjRTYwOBJzkxKFhwGl
QEt8lb3oqgJrCkyH11ldsDDo%2FMcnEI%0D%0AYua50OPKKnDZ9zdOx32wL7t1VM5FRhqV941R4MT7Y9fr7u3EdUbWNpa9hCQ8LTXs%0D%0Az2pU8%2Fu64Nnj%2FzP9vXXzx5YUSQK7NoUe
qOl0%2Ft%2F4h%2B8%2FXmmmKLfdu2aD%2Bp%2BzGBYG%0D%0ApkFLT2oZLk7XOFc5xGmrAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAb%2FkkLjcr%0D%0Ay9XLuzePw59UxpOeCQSdCr
ET2e6Uy3rEglo5%2F8HcQbdaeCrOfwKyjbmUjJnCXptM%0D%0As6xW%2FOtNU1Xqt7fUJpxTgKDX%2Fsz5gWejuIQyAT20qnxsg8aHz0L7LxrlumW1eCMg%0D%0Af1kIXwLWzfQntBtaEFyN
aJx6wEZTXQboKbZqSB281BH96dJF1szaD7nPKCo4ZFfA%0D%0AwKaJbIM89cjQvYjA9utatlqEK0g2CZnc8YtKauTmZz%2FV7W%2B3jpVV1XfgoChVmr%2FV%0D%0A%2BN0czdeA93Ie9jBB
7ZOAko2BCLuPAc2z4w0K1VF4DXBA4slf2AD%2F29xCnv1nYbzZ%0D%0AfuhOgnfI8PIdQw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true'
ipa : DEBUG NSSConnection init ipa1.domain.tld
ipa : DEBUG auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 804978690 (0x2ffb0002)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=DOMAIN.TLD
Validity:
Not Before: Tue Oct 06 21:27:25 2015 UTC
Not After: Mon Sep 25 21:27:25 2017 UTC
Subject: CN=ipa1.domain.tld,O=DOMAIN.TLD
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d0:7d:e0:36:af:0c:c5:03:ea:ea:1e:57:35:50:93:ec:
77:97:79:79:fe:7a:4c:14:e9:08:6a:2e:71:3e:fe:14:
55:cd:e5:97:cf:40:31:e1:f1:c4:fb:d9:a8:81:ce:d1:
76:59:80:7c:65:c2:45:c2:06:69:a0:91:96:51:c6:4e:
e1:01:42:a0:6f:99:c3:80:83:69:49:8f:f9:7c:88:f2:
20:4a:df:85:d1:a3:01:e4:78:72:51:13:4c:d8:6b:e8:
06:1f:cb:2b:40:94:c7:9a:14:55:85:58:2b:6a:f9:4a:
d8:3b:b6:78:a6:d4:bf:04:cf:69:12:9e:e7:58:a4:6b:
11:55:f7:8a:8f:dd:00:7e:7b:e5:5e:f9:29:0a:9d:dd:
d0:ed:fa:ce:e1:c8:27:15:d2:01:b4:3a:fb:8c:33:1b:
66:ff:ce:2d:83:01:44:56:d0:0c:8b:7a:77:3d:d1:c1:
14:f0:0f:15:38:8e:68:f6:aa:5b:99:b3:1e:ef:53:03:
53:af:b4:c7:a8:c0:84:06:f8:0e:27:12:5a:e2:b8:29:
ba:0d:b5:0c:af:4c:b6:06:22:76:9d:6a:71:5d:96:41:
4c:c8:c1:3f:0a:40:0a:57:eb:5e:7c:6d:a1:d7:1c:22:
60:07:7a:08:c3:9e:d4:cb:1d:20:c3:b9:65:07:c8:39
Exponent:
65537 (0x10001)
Signed Extensions: (4 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
df:e2:06:f2:94:98:29:17:5a:0f:65:e5:df:eb:0b:c3:
7d:d0:4b:0f
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
a0:98:8f:04:39:d9:57:fd:96:3f:e4:d3:29:7a:df:37:
6d:30:c0:d2:3c:af:0f:a0:9f:c0:dc:38:61:84:a7:b5:
e0:db:6a:4a:9d:44:3b:45:04:2b:87:d1:fb:d5:5b:d4:
7f:24:3c:db:80:1e:9d:65:1d:09:5a:6a:3e:15:e0:8a:
e9:60:e8:ef:c3:c9:92:fe:a6:df:54:dc:e7:d9:52:c9:
93:10:a9:b4:12:b3:fb:34:fb:f8:c1:43:a1:2e:71:c6:
70:aa:c3:4e:2f:c3:d9:56:ba:9b:b8:14:c5:2b:e7:f2:
64:bb:0b:59:99:9c:85:0e:4f:04:54:1e:cf:53:a2:ae:
4e:72:29:37:cb:53:c1:e4:61:26:0d:68:df:34:86:29:
4a:7e:00:4a:a0:70:06:e8:cb:f4:78:f6:cb:5e:a2:2e:
73:73:51:18:0e:a5:b3:3a:6c:e6:c8:11:aa:18:21:a5:
d3:85:a0:01:6b:39:90:aa:38:6c:6b:33:b0:f2:89:4a:
e0:2d:51:c7:e7:9b:a7:63:cf:4a:af:17:ed:da:2f:0d:
63:81:61:24:b0:d9:db:44:eb:aa:c0:d1:d3:4e:51:60:
92:70:39:a8:39:45:bc:ca:97:bf:cd:9f:02:38:ec:6e:
15:2f:5c:b2:c6:77:de:d6:8d:3e:76:5c:14:34:f5:69
Fingerprint (MD5):
fd:4d:92:51:bb:e0:5e:34:8c:83:e4:43:a0:d3:1f:21
Fingerprint (SHA1):
47:4e:12:b6:5a:12:b8:85:b3:c8:53:09:9e:5f:97:a0:
65:ea:cd:1f
ipa : ERROR cert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
r's Certificate has expired.
ificate has expired.
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
raise e
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
raise e