On 10/27/2017 06:41 PM, Bhavin Vaidya via FreeIPA-users wrote:
ldapsearch from client works, on same host which we are trying to
create replica. (ran ipa-client to test and then uninstall).
[root@ds04 certs]# ldapsearch -x -v -H
ldaps://ds01.example.com -s
base -b '' namingContexts -d 1
...
TLS: certificate [CN=Certificate
Authority,O=EXAMPLE.COM] is not valid
- error -8172:Peer's certificate issuer has been marked as not trusted
by the user..
...
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It doesn't look like ldapsearch is working. Why do you say that it works?
[root@ds01 openldap]# certutil -d /etc/openldap/cacerts -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
I'm not sure that's relevant to the problem you're having on ds04, since
that directory isn't used by the FreeIPA LDAP server (as far as I
know). But now it looks like ds04 doesn't have the CA cert for FreeIPA,
and therefore does not trust its TLS certificates. Without that trust,
it naturally follows that both ldapsearch fails and replication does not
start.
It also looks like your FreeIPA installation on ds01 is somehow
inconsistent, with /etc/openldap/certs being out of date or corrupt.
That may or may not be related.
If this problem only affects one host, I'd suggest wiping it clean and
starting over. If you can't add any new host, then it would probably be
helpful to see the logs from the ipa server setup on a brand new host
which you try to add to the cluster.