Thanks!

I compared between a working one and this and the output looked the same. I did not see anything obvious.

Instead of continuing to spin my wheels I decided to go the route of just blowing the whole replica away and recreating it - Problem solved!

:-) 

On Thu, Sep 2, 2021 at 4:47 PM Rob Crittenden <rcritten@redhat.com> wrote:
Russell Jones wrote:
> Okay, thanks!
>
> Pardon my ignorance, but I am not sure what to do still to resolve the
> issue. I have 2 other replicas that picked up the renewed certificate
> fine from the renewal master because they were online.
>
> What do I need to do to get this guy to pick up the renewed certificate?

The fact that resubmit says there is no update certificate available
suggests that there may still be a problem with replication. I'd look at
the LDAP location I provided on a working and non-working server to see
if they match.

rob

>
> On Thu, Sep 2, 2021 at 4:03 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Russell Jones via FreeIPA-users wrote:
>     > Hi all,
>     >
>     > I have a replica that, while offline due to maintenance, some
>     > certificates appear to have been auto renewed. Upon bringing the node
>     > back online the ipa-healthcheck script showed several errors that were
>     > fixed by re-initializing the replica.
>     >
>     > However, the following errors were not fixed by reinitializing:
>     >
>     >
>     > [root@freeipa4 ~]# ipa-healthcheck --output-type human
>     --failures-only |
>     > grep -v ipahealthcheck.ipa.idns
>     > WARNING:
>     > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170451:
>     > Request id 20200130170451 expires in 26 days
>     > WARNING:
>     > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170452:
>     > Request id 20200130170452 expires in 26 days
>     > WARNING:
>     > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170453:
>     > Request id 20200130170453 expires in 26 days
>     > WARNING:
>     > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170451:
>     > Request id 20200130170451 expires in 26 days
>     > WARNING:
>     > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170452:
>     > Request id 20200130170452 expires in 26 days
>     > WARNING:
>     > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170453:
>     > Request id 20200130170453 expires in 26 days
>     >
>     >
>     > When I try to use getcert resubmit, it shows either:
>     >
>     > freeipa4 dogtag-ipa-ca-renew-agent-submit: Updated certificate not
>     available
>     >
>     > or
>     >
>     > freeipa4 certmonger: 2021-09-02 15:43:15 [1264] Invalid cookie: u''
>     >
>     >
>     > Any ideas on how to get this guy healthy again?
>
>     The CA's in IPA are in dogtag parlance "clones". They share most of the
>     same configuration and certificates.
>
>     One IPA server is selected, the first installed by default, as the
>     renewal master. It is responsible for renewing the shared certificates
>     and placing the updated contents into LDAP which will then be replicated
>     to the other servers and picked up when renewal is needed.
>
>     The first message means that an updated certificate is not available.
>     The second message was fixed in IPA 4.9.0 in ticket
>     https://pagure.io/freeipa/issue/8164
>
>     What this means is that the updated certificates are not available in
>     LDAP for certmonger to retrieve. They can be found in
>     cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX under the nickname for each
>     certificate.
>
>     rob
>