On 04/04/2018 03:21 PM, lejeczek via FreeIPA-users wrote:


On 04/04/18 12:43, Florence Blanc-Renaud wrote:
Hi,

CA_WORKING means that certmonger's helper is trying to download the certificate from LDAP, but does not find new certs.

In topologies with multiple servers, only one server is the renewal master. When one of auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, subsystemCert cert-pki-ca or caSigningCert cert-pki-ca expires, the renewal master is the one that actually handles the renewal, and the other masters simply download the new certs from LDAP.

You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check consistency between /etc/pki/pki-tomcat/alias, the certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in /etc/pki/pki-tomcat/ca/CS.cfg).

Then check that replication is working between the renewal master and the other masters. If the replication is broken, the certs will not be copied on the other masters and the download will not detect new certificates.

HTH,

I also see differences here in case it mattes(and then what to do about it):
on rider:

Replica Update Vectors:
     rider.private:389: 71
     whale.private:389: 91
Certificate Server Replica Update Vectors:
     rider.private:389: 1075
     whale.private:389: 1170

on whale:

Replica Update Vectors:
     whale.private:389: 91
     rider.private:389: 71
Certificate Server Replica Update Vectors:
     whale.private:389: 1170

Also on whale host I see:
..
[04/Apr/2018:14:19:28.872403514 +0100] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=cloneAgreement1-whale.private-pki-tomcat" (rider:389): The remote replica has a different database generation ID than the local database.  You may have to reinitialize the remote replica, or the local replica.

even though on rider I did:

$ ipa-replica-manage re-initialize --from

The replication handles 2 different suffixes, one for IdM data (below dc=domain,dc=com), and one for CA data (below o=ipaca). In your case, the replication of CA data is broken and the right command to fix that is ipa-csreplica-manage re-initialize instead of ipa-replica-manage re-initialize.

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to