Hi Florence,
On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote:
On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote:
[...]
you can use ldapmodify to manually add the missing certificate:
1. transform the RA agent cert into der format $ openssl x509 -outform
der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der
2. upload the cert in LDAP
$ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate
usercertificate:< file:///tmp/ra-agent.der
modifying entry "uid=ipara,ou=people,o=ipaca"
<Ctrl-D> to exit
After that, you should be able to re-run ipa-server-upgrade. At this
point, please make sure that replication could be re-established between
the two nodes.
your help is greatly appreciated.
I had to change the cert serial in "description" additionally the same way
via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on ipa2
comes up properly after a reboot. Fine.
Regarding replication: Checking, whether replication works properly is
achieved with "ipa-replica-manage -v list <host>", right? Has to work on
both IPA servers and "last update ended" must be a reasonable recent
timestamp?
Mit freundlichen Gruessen/With best regards,
--Daniel.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
