I have an IdM replica that stopped sending its replications to the other replicas in the environment. I want to reinitialize it to hopefully resolve that replication problem. However, when confirming what data would be lost in the reinitialization, I noticed that the replica has reissued itself certificates for its own LDAP and HTTP services. These certificates are the ones found in the "userCertificate" attributes of the "krbprincipalname=ldap/isolated-repl...@example.com,cn=services,cn=accounts,dc=example,dc=com" and "krbprincipalname=HTTP/isolated-repl...@example.com,cn=services,cn=accounts,dc=example,dc=com" DNs. The other replicas show the older certificates in those multivalue entries, but not the new ones. In addition, the previous certificates have now expired.
I'm concerned about what will happen if I perform a reinitialization of this replica. Will it restart its LDAP and HTTP services with an old, expired certificate? What effect will that have on other replicas trying to connect to it? Will it still have keys for those old certificates? Will it be able to reissue its certificates again? The existence of the "ipa-cert-fix" utility implies not. Or will it keep its new certificates? Will those certificates cause a problem when they no longer exist in the replica's own domain database? The replica in question will still accept replications from the rest of the environment. Is it possible to get another replica to push new certificates to it, so that that new certificate will exist in the domain database after a reinitialization happens? This is all in an IdM environment run under RHEL 7.9, so FreeIPA 4.6.8. (I'm desperately trying to dig myself out of replication problems before I upgrade. This is the next-to-last issue.) -- William Faulk -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
