Jan Bundesmann via FreeIPA-users wrote: > Hi there, > > I need some suggestions for a certificate related problem. > The setup has 2 servers, let's call them ldap1 and ldap2 with ldap1 being the > primary system with the CA. > The certificates were to expire on june 15. > I checked on june 1st and on ldap1 certmonger had renewed all certificates, > on ldap2 certmonger was not running. > So, I restarted the certmonger service and it began its work. `getcert list` > shows three certificates (it's ipa 4.4, so that's probably correct) > > Quite soon, the first certificate was renewed (HTTP/ldap2, ...) I assume > that's the one for the web UI. A second one (ldap/ldap2...) is still valid > until december. I assume that's why all the ldap related stuff and > replication is still working. > > But the cn=IPA RA expired one week ago (may 24th). > > I have no ipa-certs-fix, would setting back the system clock still work? The > HTTP/ldap2 certificate was not yet valid when the IPA RA certificate expired. > > Or put the the other round: what happens if i don't renew this certificate - > that's not quite clear to me. Currently, the system ist working fine, > replication works and in 2022 the hardware will be replaced, so we will setup > new replicas anyways. But, that's after the expiration date of the ldap/ldap2 > certificate. > > I hope this is understandable and thanks in advance for any hint.
Only one server (CA replication master) does the renewal of the CA certificates, including the RA certificate. It puts the results into LDAP where the other servers can retrieve the updated certificates. So the RA certificate seems already renewed if the server with a CA is working (ipa cert-show 1 as a test). The impact of not having an updated RA certificate on ldap2 is that it won't be able to communicate with the CA. Can we see the tracking of this request on ldap2? getcert list -d /etc/httpd/alias -n ipaCert rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
