There was a bug in certmonger where it slowly leaked file descriptors
over time. So if certmonger ran for an extended period, usually months,
it would eventually run out. certmonger uses helpers to do renewals so
with no descriptors, forks would fail and hence renewals. This is BZ
https://bugzilla.
Hi Rob,
Thank you for the insight! That helped a lot!
The replication of the CA data was perfectly fine. I did the following on
each IPA server except the renewal server to fix the situation:
1, restarted certmonger service, then waited a few minutes until it
finished restarting pki_tomcatd (it
This looks like the root cause:
ERROR: ipahealthcheck.ipa.certs.IPARAAgent: RA agent description does
not match 2;186;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA
RA,O=EXAMPLE.COM in LDAP and 2;66;CN=Certificate
Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM expected
It looks like an updated RA
I just found this post about the same or similar issue:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/DFEMDNWSCE4FDDFRDUCZYYIIOIUC3RFD/
One detail I missed - this happens on all IPA servers BUT the renewal IPA
server. I will go through ^ post to see if