On 01/31/2014 10:00 AM, Sigbjorn Lie wrote: > > > On Fri, January 17, 2014 16:37, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >> >>> This worked better than expected. Thank you! :) >>> >>> >>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays >>> any certificates out >>> of date, and all certificates in need of renewal within 28 days has been >>> renewed. The webui also >>> started working again and things seem to be back to normal. >>> >>> ipa03 however is still having issues. I could not renew any certificates on >>> this server to begin >>> with, but I managed to renew the certificates for the directory servers by >>> changing the xmlrpc >>> url to another ipa server in /etc/ipa/default.conf and resubmitting these >>> requests. >>> >>> "getcert resubmit -i <request-id" says SUBMITTING and the fails with >>> NEED_GUIDANCE after a short while for the certificates for the PKI service. >>> >>> >>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python: >>> Updated certificate for ipaCert not available". >>> >>> >>> There is a lot of information in the /var/log/pki-ca/debug, but nothing >>> that I can easily distinguish as an error from all the other output. >>> Anything in particular I >>> should look for? >> Ok, so this is a bug in IPA related to python readline. Garbage is >> getting inserted and causing bad things to happen, >> https://fedorahosted.org/freeipa/ticket/4064 >> >> >> So the question is, are the certs available or not. >> >> >> A number of the same certificates are shared amongst all the CAs. One >> does the renewal and stuffs the result into >> cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs >> refer to that location for an updated cert and will load them if they are >> updated. >> >> Look to see if the certs are updated there. Given that you have 2 >> working masters I'm assuming that is the case, so it may just be a matter of >> fixing the python. >> > I could not get anywhere even after manually patching the python script as > mentioned in the ticket > you provided. > > > I ended up removing and re-adding the replica during a maintenance window. > For future reference, > what I did was to remove the replica as per the Identity Management Guide on > docs.redhat.com. I > then re-created the replica installation file and installed the replica. > > At this point Certmonger managed to retrieve new certificates for the expired > certificates, but it > kept segfaulting when it attempted to save the certificate to disk. I > restarted certmonger a few > times, but certmonger just ended up segfaulting over and over. I decided to > block the ipa server > off the network and change the date back to before the certs expired. After > the date was changed I > restarted certmonger. Certmonger managed to save the certs successfully this > time and a "getcert > list" now displays only certificates with an expire date of 2015 or 2016 and > a status of > MONTORING. > > I changed the date back to correct date and time and removed the iptables > rules. The replica now > works just fine. > > Thank you for your assistance. >
Can you give us some core dumps from certmonger to see why it is crashing. We would like to fix crash bugs if we them. > Regards, > Siggi > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users