Harald Dunkel via FreeIPA-users wrote: > Hi Flo, > > FYI: ipa2 is essential in our environment, so I reinstalled > the replica (without ca). There are still 2 other hosts > ipa0 and ipabak with the same problem. > > On 7/17/19 2:50 PM, Florence Blanc-Renaud wrote: >> Hi, >> the renewal behaves differently on the renewal master and on other >> nodes. On the renewal master, post-save will upload the new cert to >> the LDAP entry, and replication will propagate this changes to the >> other masters. > > AFAICS this new entry was not replicated. > >> On a non-renewal master, the renewal obtains the cert from the local >> LDAP, but does not write to LDAP (as the replication is supposed to >> have executed this part). >> > > This part did not work. Since ipa2, ipa0 and the other don't have the > new CA Subsystem certificate yet, I wonder if ipa1 (the renewal master) > still accepts the old certificate for setting up a connection to ipa0? > >> I don't understand in your case how the getcert resubmit managed to >> update the cert (because it's supposed to get it from the local LDAP >> server), and according to the ldapsearch you did it's not present. Can >> you double check the ldap search but with -h ipa2 -p 389 to make sure >> the expected server is used? >> > > See below. There is only one conclusion: getcert resubmit did *not* use the > local ldap server. > > > ldapsearch on ipa0 shows that the replicas are out of sync wrt > certificate information: > > [root@ipa0 ~]# ldapsearch -h ipa0 -p 389 -D cn=directory\ manager -W -b > o=ipaca uid=pkidbuser userCertificate > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <o=ipaca> with scope subtree > # filter: uid=pkidbuser > # requesting: userCertificate > # > > # pkidbuser, people, ipaca > dn: uid=pkidbuser,ou=people,o=ipaca > userCertificate:: > MIIDhjCCAm6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJE > : > DLmWOwnnZiyUGBpv1bM46fBcTuDwHG7NVveaiQ0R1Cpva185zzkyyqDB8AL8ygb/e+8iaY > userCertificate:: > MIIDhTCCAm2gAwIBAgIBUzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJE > : > 8DJ0nHC1E4pArqQ/yWDksCpcEWP/woYiF5HgK3jAc5Ba2smS+NyQicpg+ZkpvMPE9ZWsQ= > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@ipa0 ~]# ldapsearch -h ipa1 -p 389 -D cn=directory\ manager -W -b > o=ipaca uid=pkidbuser userCertificate > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <o=ipaca> with scope subtree > # filter: uid=pkidbuser > # requesting: userCertificate > # > > # pkidbuser, people, ipaca > dn: uid=pkidbuser,ou=people,o=ipaca > userCertificate:: > MIIDhjCCAm6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJE > : > DLmWOwnnZiyUGBpv1bM46fBcTuDwHG7NVveaiQ0R1Cpva185zzkyyqDB8AL8ygb/e+8iaY > userCertificate:: > MIIDhTCCAm2gAwIBAgIBUzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJE > : > 8DJ0nHC1E4pArqQ/yWDksCpcEWP/woYiF5HgK3jAc5Ba2smS+NyQicpg+ZkpvMPE9ZWsQ= > userCertificate:: > MIIDhTCCAm2gAwIBAgIBaTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJE > : > qISlV77vwnVQ4f9mHYMDH2fxVn+Yg1NeW7Hfs30w9dh0p1t45KmI5pzEtreyqF/ARtq94= > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > As you can see, ipa1 has a 3rd certificate. > > > >> Also, is there a /etc/ipa/renew.conf file with a ldap_uri different >> from the one in /etc/ipa/default.conf on ipa1? >> > > [root@ipa1 ~]# cat /etc/ipa/renew.conf > cat: /etc/ipa/renew.conf: No such file or directory > > Same on ipa0.
The renewal certificates are passed via the main IPA backend. Check to see if that replication is working. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
