Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches

Removed, only the matching one remains.

You also suggested earlier to update that entry in the IPA DIT under
`cn=ca_renewal,cn=ipa,cn=etc,{basedn}'.  If there is only one CA
master in the topology (the one you're working on) you can ignore
this.  Otherwise you should either update its userCertificate value
with the content of ra_agent.pem, OR you can simply delete the

Do this all while the clock is set back to when the certs are all
valid.  Then restart IPA; confirm that all the components start
properly, then attempt to renew the service certificates.

Done, ipactl status report everything running, but certificates don't renew.
Looking at certmonger (in debug mod) I can see:

"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ). Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).
2018-01-08 01:03:31 [21961] Certificate not (yet?) issued.
2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state 'CA_UNREACHABLE'

even after a getcert resubmit -i 20171205091409

Have I to try to remove/re-add monitoring from certmonger for service certificates?

See how you go with that.  Hopefully it will be progress, at least.


FreeIPA-users mailing list --
To unsubscribe send an email to

Giulio Casella                                    giulio at
System and network architect
Computer Science Dept. - University of Milano
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to