We have two replica servers sl1mmgplidm0001/2.
sl1mmgplidm0001 is functioning as CRL master and has no issues.
[root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: sl1mmgplidm0001
[root@sl1mmgplidm0001 ~]#
[root@sl1mmgplidm0001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0001 ~]#
sl1mmgplidm0002 is having an issue where pki-tomcat process would not
start due to expired cert. It has CA_UNREACHABLE error
[root@sl1mmgplidm0002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0002 ~]#
[root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
Request ID '20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://sl1mmgplidm0002:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA
subject: CN=sl1mmgplidm0002,O=IPA
expires: 2019-01-08 20:16:52 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
[root@sl1mmgplidm0002 ~]#
Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
Don't run ipa-cacert-manage renew. It renews only the root CA cert which
won't help.
We need to see the full output of getcert list to see what status all
the certs are in.
You might also try this: