Dear flo,
there is only one certificate that failed to renew, and the repair should (hopefully) be straightforward.
First of all, please confirm that the server is the CA renewal master: # ipa config-show | grep "CA renewal"
Although I can kinit on other hosts this fails on what I consider to be our CA master.
kinit sm kinit: Cannot contact any KDC for realm 'OUR_REALM' while getting initial credentials
and would normally work up until the expiry.
Now if I try from one of our clients
kinit works
ipa config-show | grep "CA renewal" ipa: ERROR: cannot connect to 'https://PRIMARY_SERVER/ipa/json': [Errno 111] Connection refused
which has happened since the expiry and web services etc being unavailable which seems to make sense.
Attempt on one of the other freeipa servers, kinit works, but ipa command fails with:
ipa: ERROR: cannot connect to 'https://THIS_SERVER/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
The output should display your hostname. If that's not the case, we need more information (which host is CA renewal master, are all the certs valid on this host?)
What would you like me to gather next? I am being cautious as I don't want the user service to fail, but worry not everything is working as it should be.
Thanks.
Best wishes
Stuart
On 9/9/20 9:58 AM, Stuart McRobert via FreeIPA-users wrote:
Dear flo,
there is only one certificate that failed to renew, and the repair should (hopefully) be straightforward.
First of all, please confirm that the server is the CA renewal master: # ipa config-show | grep "CA renewal"
Although I can kinit on other hosts this fails on what I consider to be our CA master.
kinit sm kinit: Cannot contact any KDC for realm 'OUR_REALM' while getting initial credentials
and would normally work up until the expiry.
Hi,
The IPA services are probably stopped. Can you try # ipactl start --ignore-service-failures # ldapsearch -H ldap://`hostname` -LLL -o ldif-wrap=no -D 'cn=Directory Manager' -W '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
This should return an entry dn which contains the name of the renewal master, for instance: dn: cn=CA,cn=hostname.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
Warning, if the replication got broken, the result may be different on other servers. Make sure all the nodes have the same view of who is CA renewal master.
Once you identify the CA renewal master, the repair procedure needs to be applied on this node first. flo
Now if I try from one of our clients
kinit works
ipa config-show | grep "CA renewal" ipa: ERROR: cannot connect to 'https://PRIMARY_SERVER/ipa/json': [Errno 111] Connection refused
which has happened since the expiry and web services etc being unavailable which seems to make sense.
Attempt on one of the other freeipa servers, kinit works, but ipa command fails with:
ipa: ERROR: cannot connect to 'https://THIS_SERVER/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
The output should display your hostname. If that's not the case, we need more information (which host is CA renewal master, are all the certs valid on this host?)
What would you like me to gather next? I am being cautious as I don't want the user service to fail, but worry not everything is working as it should be.
Thanks.
Best wishes
Stuart _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org