Harald Dunkel via FreeIPA-users wrote: > > AFAICS the new certificates are in ldap on the non-renewal masters (e.g. > ipa0). Here is the output of the suggested getcert session on ipa0: > > [root@ipa0 ~]# date > Fri Jul 19 11:21:00 CEST 2019 > [root@ipa0 ~]# getcert resubmit -d /etc/pki/pki-tomcat/alias/ -n > 'subsystemCert cert-pki-ca' > Resubmitting "20181031072253" to "dogtag-ipa-ca-renew-agent". > [root@ipa0 ~]# journalctl -xe > Jul 19 11:20:54 ipa0.example.de server[2612]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ... > Jul 19 11:21:14 ipa0.example.de dogtag-ipa-ca-renew-agent-submit[32209]: > Updated certificate not available ...
This is the important bit. The updated certificate is not in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. This is why I asked if IPA replication was working (not the CA replication). I'd start by looking at this subtree on all masters to see what, if anything, is in it. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org