GH via FreeIPA-users wrote: > Okay, took a gamble and copied the old passwd.txt file back in on > "secondary". No change. Then copied the old key3.db file back in and ... it > started! Haven't copied secmod.db back into place. Should I? I guess I > should have only copied the cert8.db file over?
I wouldn't recommend manually copying anything between servers except as a last resort. These certificates should be tracked and kept in sync by certmonger One of your servers should be configured as the "renewal master". You can find out which one with: # ipa config-show | grep renewal IPA CA renewal master: ipa.example.test That is the CA that does the actual renewals of expiring certificates. The other servers get the updated certificates from this one. So make sure that the most recent "renewed" certificate was done on the renewal master by certmonger otherwise it won't be distributed properly. How you have two valid certificates at the same time I don't know. So I'd recommend trying to figure out what happened so we can prevent future problems and get things back in sync in the best and safest way. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
