When I upgraded the servers to EL8 (I rebuilt from scratch using the old hostnames), I had neglected to assign an IPA CA renewal master after the old “boss” was retired. This crime is of course it’s own punishment.
I found the documentation for handling this to actually be pretty good. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/renewing-expired-system-certificates-when-idm-is-offline_working-with-idm-certificates#doc-wrapper fraser’s blog was also helpful (in confirming I executed this correctly) https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fix.html I progressed through the other three IPA servers, but the last one still has a bad expiration on the CA cert. [root@ef-idm01 ~]# date Wed Feb 14 07:08:38 PST 2024 [root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir' Request ID '20230530175932': status: MONITORING subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2025-05-30 10:59:53 PDT Request ID '20230530180022': status: MONITORING subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2025-05-30 11:00:30 PDT Request ID '20230530180438': status: NEED_CA subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2024-01-02 07:58:28 PST [root@ef-idm01 ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: IPA IPA RA certificate: Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> Serial: 162 Expires: 2024-01-02 15:58:28 Enter "yes" to proceed: yes Proceeding. Renewed IPA IPA RA certificate: Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> Serial: 1341915142 Expires: 2026-02-03 20:18:20 Becoming renewal master. Restarting IPA Note: Monitor the certmonger-initiated renewal of certificates after ipa-cert-fix and wait for its completion before any other administrative task. The ipa-cert-fix command was successful [root@ef-idm01 ~]# I checked the cert expiration several times yesterday, but it never updated on this server. I waited a full day to let certmonger do its thing, below is my result this morning. [root@ef-idm01 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@ef-idm01 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir' Request ID '20230530175932': status: MONITORING subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2025-05-30 10:59:53 PDT Request ID '20230530180022': status: MONITORING subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2025-05-30 11:00:30 PDT Request ID '20230530180438': status: NEED_CA subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2024-01-02 07:58:28 PST [root@ef-idm01 ~]# ipa-cert-fix Nothing to do. The ipa-cert-fix command was successful [root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir' Request ID '20230530175932': status: MONITORING subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2025-05-30 10:59:53 PDT Request ID '20230530180022': status: MONITORING subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2025-05-30 11:00:30 PDT Request ID '20230530180438': status: NEED_CA subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> expires: 2024-01-02 07:58:28 PST [root@ef-idm01 ~]# How can I sort out this one remaining issue? Do I just make assign another server as the renewal master? thanx - grant
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue