The output of getcert list-cas from the replica is below. It contains both the
'renew' and the 'retrieve' items.
As previously stated, the services are not running on the replica. I have been
nervous about starting them; not wanting to impact the functional master. But,
it is sounding like starting them up is all I really need to do to fix things.
Would I need to set the date back on both systems? Will the certs renew
more-or-less immediately, or will there be some lag after starting up the
replica ipa service?
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'dogtag-ipa-retrieve-agent-submit':
is-default: no
ca-type: EXTERNAL
helper-location:
/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Wednesday, September 03, 2014 3:19 PM
To: Ott, Dennis; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Cert Renewal
Ott, Dennis wrote:
> I may need a little more direction here.
>
> The output from getcert list-cas does not contain the string 'ca_renewal'.
>
> What does this indicate?
I don't have a 2 -> 3 updated server handy so I'm going on best guesses from
reading the code. It is probably ok. You really just need to be sure to have a
CA that has a submit script of:
dogtag-ipa-retrieve-agent-submit and one for dogtag-ipa-renew-agent
What is the output from list-cas?
The way that CA renewal works is this:
- One CA, the first install by default, is marked as the CA renewal master. The
only thing that distinguishes this master is the way the renewal scripts are
configured. This CA does the actual renewal of the certificates and pushes the
resulting public certs into a shared space in the IPA LDAP tree
- The other CA's monitor this area, via those two dotag-ipa-* scripts, and
fetch and install updated certificates when one is available.
When a cert is in CA_WORKING state it means that an update should be available
but isn't in the shared tree, so certmonger will try again in a few hours.
Assuming that certmonger is configured properly then it should just be a matter
of getting the right certs added to the LDAP tree.
rob
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Tuesday, August 26, 2014 3:53 PM
> To: Ott, Dennis; Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Cert Renewal
>
> Ott, Dennis wrote:
>> No services are currently running on the replica (and I am hesitant to start
>> them) but, my recollection is that I did the replica server installation
>> with the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/
>> and /etc/pki-ca/ directories in place on the replica.
>>
>> ipa-getcert list shows all certs with a status of: CA_UNREACHABLE
>> (but then, the service is down. The master also gave this status,
>> even with the service running, until I followed the cert renewal
>> procedure.)
>>
>> So, with the replica running a CA, should I follow the same procedure that I
>> used on the master? Anything else to look out for?
>
> No, the procedure is slightly different on the replica.
>
> You need to start by ensuring that certmonger has a CA type for renewal:
>
> # getcert list-cas
>
> Look for ca_renewal
>
> Check the CA subsystem certs to see how they are configured.
>
> The CA should be dogtag-ipa-retrieve-agent-submit for
> "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and
> "subsystemCert cert-pki-ca" and a pre-save command of stop_pkicad and
> a post-save a restart_pkicad PKI-IPA
>
> The agent cert, ipaCert, should be using "dogtag-ipa-retrieve-agent-submit",
> a blank pre-save command and a post-save command of restart_httpd.
>
> rob
>
>
>>
>
>> Thanks.
>>
>> Dennis
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: Monday, August 25, 2014 6:37 PM
>> To: Ott, Dennis; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Cert Renewal
>>
>> Ott, Dennis wrote:
>>> I have an IPA setup, one master, one replica; originally installed
>>> as v 2.x and later updated to v 3.0. For whatever reasons, the
>>> certs did not automatically renew and the services would no longer
>>> start. I updated the certs manually on the master using the procedure shown
>>> at:
>>>
>>>
>>>
>>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>
>>>
>>>
>>> The master is now functioning properly.
>>>
>>>
>>>
>>>
>>>
>>> At this point, the IPA service is still stopped on the replica. I
>>> hesitate to start it for concern it could interfere with the
>>> now-working master.
>>>
>>>
>>>
>>> What would be the recommended method for returning the replica to service?
>>
>> It depends on whether the replica. Does it also run a CA? If not then you
>> can try restarting the certmonger service. This should cause it to fetch new
>> certificates for the other IPA servers. ipa-getcert list will show you the
>> status, wait until they are all MONITORING.
>>
>> Once that works then you can safely restart the world. Any changes on the
>> master will be replicated out, and vice versa.
>>
>> rob
>>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
