Hi Flo,
On 7/23/19 12:27 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
The subsystemCert cert-pki-ca is also stored in LDAP, in 2 places:
- in the entry uid=pkidbuser,ou=people,o=ipaca (in the userCertificate attribute, which
can be multivalued and contain the old certs along with the most recent one). The
description field must store the serial corresponding to the most recent one with the
format 2;<serial>;<issuer>;<subject>, for instance description:
2;15;CN=Certificate Authority,O=DOMAIN.COM;CN=CA
Subsystem,O=DOMAIN.COM
ipa1:
3 certs, the last one is up to date, serial number is correct.
ipa0 and other non-renewal masters:
2 certs, both are out-of-date.
- in the entry cn=subsystemCert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<basedn>, in the userCertificate attribute.
There should be only one value, for the most recent cert.
This one is up-to-date, AFAICT.
The uid=pkidbuser entry is present only on the replicas with the CA role, while the
cn=subsystemCert cert-pki-ca entry is present on all the replicas.
If the cert was properly replicated to the other masters, we can assume that the
replication went well for the cn=subsystemCert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<basedn> entry. I would then check the
content of uid=pkidbuser,ou=people,o=ipaca on all the replicas (this part of the LDAP tree
is managed by a different replication agreement, o=ipaca vs <basedn>).
AFAIU this indicates that the csreplicas are out of sync. This is what
ipa-csreplica-manage tells me:
[root@ipa1 ~]# ipa-csreplica-manage list -v ipa0.example.de
Directory Manager password:
ipa1.example.de
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP error: Connect
error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
[root@ipa1 ~]# ipa-csreplica-manage list -v ipa1.example.de
Directory Manager password:
ipa0.example.de
last init status: Error (-11) - LDAP error: Connect error
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP error: Connect
error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ipa2.example.de
last init status: Error (-11) - LDAP error: Connect error
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP error: Connect
error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ipa5.example.de
last init status: Error (-11) - LDAP error: Connect error
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-11) Problem connecting to replica - LDAP error: Connect
error (connection error)
last update ended: 1970-01-01 00:00:00+00:00
AFAIR we've been here before. How comes that it cannot connect? catch22 ?
Regards
Harri