Hi Flo,
On 7/23/19 12:27 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
>
> The subsystemCert cert-pki-ca is also stored in LDAP, in 2 places:
> - in the entry uid=pkidbuser,ou=people,o=ipaca (in the userCertificate
> attribute, which can be multivalued and contain the old certs along
> with the most recent one). The description field must store the serial
> corresponding to the most recent one with the format
> 2;<serial>;<issuer>;<subject>, for instance description:
> 2;15;CN=Certificate Authority,O=DOMAIN.COM;CN=CA
Subsystem,O=DOMAIN.COM
ipa1:
3 certs, the last one is up to date, serial number is correct.
ipa0 and other non-renewal masters:
2 certs, both are out-of-date.
> - in the entry cn=subsystemCert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<basedn>, in the
> userCertificate attribute. There should be only one value, for the
> most recent cert.
This one is up-to-date, AFAICT.
>
> The uid=pkidbuser entry is present only on the replicas with the CA
> role, while the cn=subsystemCert cert-pki-ca entry is present on all
> the replicas.
>
> If the cert was properly replicated to the other masters, we can
> assume that the replication went well for the cn=subsystemCert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<basedn> entry. I would then
> check the content of uid=pkidbuser,ou=people,o=ipaca on all the
> replicas (this part of the LDAP tree is managed by a different
> replication agreement, o=ipaca vs <basedn>).
>
AFAIU this indicates that the csreplicas are out of sync. This is what
ipa-csreplica-manage tells me:
[root@ipa1 ~]# ipa-csreplica-manage list -v ipa0.example.de
Directory Manager password:
ipa1.example.de
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP
error: Connect error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
[root@ipa1 ~]# ipa-csreplica-manage list -v ipa1.example.de
Directory Manager password:
ipa0.example.de
last init status: Error (-11) - LDAP error: Connect error
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP
error: Connect error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ipa2.example.de
last init status: Error (-11) - LDAP error: Connect error
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP
error: Connect error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ipa5.example.de
last init status: Error (-11) - LDAP error: Connect error
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP
error: Connect error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
AFAIR we've been here before. How comes that it cannot connect? catch22 ?
I keep saying to ignore this. It doesn't work because the CA isn't
running because the certs aren't updated.
When certmonger pulls the cert out of the IPA tree it will update the
NSS database and whatever other configuration needs to be updated,
including the CA LDAP database.
You need to go back in time (ensure that ntpd/chrondy is not running),
start IPA so it is fully running and then force certmonger to retrieve
the updated certs.
rob