Harald Dunkel via FreeIPA-users wrote: > Hi Rob, > > On 7/17/19 9:27 PM, Rob Crittenden via FreeIPA-users wrote: >> >> The renewal certificates are passed via the main IPA backend. Check to >> see if that replication is working. >> > > It is not: > > [root@ipa1 ~]# ipa-csreplica-manage list -v ipa0.example.de > Directory Manager password: > > ipa1.example.de > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: Error (-11) Problem connecting to replica - LDAP > error: Connect error (connection error) > last update ended: 1970-01-01 00:00:00+00:00 > > The others show connection errors as well. ipa-replica-manage (without > "cs") doesn't mention any connection problems.
Right, it is the second one I asked about. This is where the replication of the renewed certificates happen. Look in cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com to see if the updated certificates are there. If they are then try to manually resubmit the certmonger tracking for it. For example, for the subsystem cert you'd do something like: # getcert resubmit -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' This should cause it to pull the updated cert from LDAP and apply it locally. Logging will go to the journal. rob > > Is it possible that these connection errors occur *because* the > new certificate is not installed yet, and because the old certificate > is not trusted anymore? > > Please note also that pki-tomcatd refuses to start on any host except > for ipa1. Error message: Authentication error. See below for the debug > log. Might be unrelated. > > > Regards > Harri > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
