Harald Dunkel via FreeIPA-users wrote: > Hi Rob, > > On 7/19/19 3:45 PM, Rob Crittenden wrote: >> Harald Dunkel via FreeIPA-users wrote: >>> >>> AFAICS the new certificates are in ldap on the non-renewal masters (e.g. >>> ipa0). Here is the output of the suggested getcert session on ipa0: >>> >>> [root@ipa0 ~]# date >>> Fri Jul 19 11:21:00 CEST 2019 >>> [root@ipa0 ~]# getcert resubmit -d /etc/pki/pki-tomcat/alias/ -n >>> 'subsystemCert cert-pki-ca' >>> Resubmitting "20181031072253" to "dogtag-ipa-ca-renew-agent". >>> [root@ipa0 ~]# journalctl -xe >>> Jul 19 11:20:54 ipa0.example.de server[2612]: at >>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) >>> >> ... >>> Jul 19 11:21:14 ipa0.example.de dogtag-ipa-ca-renew-agent-submit[32209]: >>> Updated certificate not available >> ... >> >> This is the important bit. The updated certificate is not in >> cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. This is why I asked if IPA >> replication was working (not the CA replication). I'd start by looking >> at this subtree on all masters to see what, if anything, is in it. >> > > I haven't found a ldapsearch command to show me the certificate as a > pem file yet, but according to jxplorer ipa1 and ipa0 have the same > certificates in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. Same "Thumprints". > I double checked esp. the CA Subsystem certificate.
The userCertificate is base64-encoded, the same as PEM. PEM just has the header and footer and 64 character lines. The log doesn't seem to say which cert isn't found. You could try again and see what is being logged to find out what cert can't be found, and potentially why. > The ldap database is in sync, wrt. the certificates in > cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX ... > New users are replicated to all ipa servers as well. AFAICS ldap > is in sync. > > Would you suggest to do a re-initialize on ipa0 from ipa1 (the > renewal-master)? If the masters are already in sync a re-init will be a no-op. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
