On 11/28/19 10:33 AM, Natxo Asenjo via FreeIPA-users wrote:
hi,
sorry for the delay, priorities shifted a bit.
Let's see, the serial # and validity of the cert in the kdc with problems:
- note the serial ID of the cert, its subject and issuer:
[root@kdc2 ~]# openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=SUB.DOMAIN.TLD, CN=Certificate Authority
Validity
Not Before: Dec 15 13:58:44 2017 GMT
Not After : Dec 5 13:58:44 2019 GMT
Subject: O=SUB.DOMAIN.TLD, CN=IPA RA
So it looks like this did not get renewed
# ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca
Enter LDAP Password:
<snip>
dn: uid=ipara,ou=people,o=ipaca
description: 2;80;CN=Certificate Authority,O=SUB.DOMAIN.TLD;CN=IPA
RA,O=SUB.DOMAIN.TLD
IT
cn: ipara
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
userCertificate:: <snip>
userCertificate:: <snip>
userstate: 1
usertype: agentType
sn: ipara
uid: ipara
So I have two userCertificates, the first one is the one in the file
system on the broken kdc in /var/lib/ipa/ra-agent.pem.
The second one is the one in the working kdc.
The serial number is the one on the certificate on the working kdc,
which was renewed on Nov 8th succesfully.
So do I need to copy the ra-agent.pem and key from the working kdc to
the broken kdc?
Hi,
please first make a backup of the files. Copy the ra-agent.pem from the
working kdc to the broken kdc, then restart ipa and check if certmonger
is able to renew the other certificates.
The key file probably didn't change (the renewal uses the same key) so I
don't think you need to copy this file.
HTH,
flo
--
Groeten,
natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...