Jan Bundesmann via FreeIPA-users wrote:
Hi, thanks for your answer,
That seems in line with not being able to communicate with the CA:
```
[root@ldap2 requests]# ipa cert-show 1
ipa: ERROR: cannot connect to 'https://ldap1:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.
```
You want to do this on ldap1 to ensure that at the CA works. This does
confirm that the RA cert is expired.
Unfortunately, I will have no access to the system before next monday
to obtain the `getcert list`. The status of the request is 'CA_WORKING' - that
much I can tell.
I could not see any other response in the logs. (journalctl or /var/log/messages) and the
CSR does not seem to arrive at ldap1. But I understand that I could manually bring the CSR
to ldap1, sign it there, bring it back... There are, however, a lot of points I'm
unsure about.
The tracking state is what I was looking for. CA_WORKING means that it
is waiting for an updated certificate to become available. Is
replication working between the two systems?
Look on both LDAP servers in
cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=test. There should be an entry
for the RA agent there (along with the other renewed CA certificates).
If the entry exists on ldap2 then getcert resubmit -d /etc/httpd/alias
-n ipaCert should force it to try to pick it up.
rob