On 1/11/19 3:24 PM, dbischof--- via FreeIPA-users wrote:
Hi Florence,
On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote:
On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote:
[...]
you can use ldapmodify to manually add the missing certificate:
1. transform the RA agent cert into der format $ openssl x509 -outform
der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der
2. upload the cert in LDAP
$ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate
usercertificate:< file:///tmp/ra-agent.der
modifying entry "uid=ipara,ou=people,o=ipaca"
<Ctrl-D> to exit
After that, you should be able to re-run ipa-server-upgrade. At this
point, please make sure that replication could be re-established
between the two nodes.
your help is greatly appreciated.
I had to change the cert serial in "description" additionally the same
way via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on
ipa2 comes up properly after a reboot. Fine.
Regarding replication: Checking, whether replication works properly is
achieved with "ipa-replica-manage -v list <host>", right? Has to work on
both IPA servers and "last update ended" must be a reasonable recent
timestamp?
Yes, ipa-replica-manage -v list <host> will display the status of the
replication for the domain (user, hosts, ...). The value of "last update
status" must be "Replica acquired successfully: Incremental update
succeeded".
If the topology includes multiple CA instances, replication is also
configured for the CA data, and the status can be found using
ipa-csreplica-manage -v list <host>.
HTH,
flo
Mit freundlichen Gruessen/With best regards,
--Daniel.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
