Hi Florence,
On Fri, 11 Jan 2019, Florence Blanc-Renaud via FreeIPA-users wrote:
On 1/11/19 3:24 PM, dbischof--- via FreeIPA-users wrote:
On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote:
On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote:
[...]
you can use ldapmodify to manually add the missing certificate:
1. transform the RA agent cert into der format $ openssl x509 -outform
der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der
2. upload the cert in LDAP
$ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate
usercertificate:< file:///tmp/ra-agent.der
modifying entry "uid=ipara,ou=people,o=ipaca"
<Ctrl-D> to exit
After that, you should be able to re-run ipa-server-upgrade. At this
point, please make sure that replication could be re-established between
the two nodes.
your help is greatly appreciated.
I had to change the cert serial in "description" additionally the same way
via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on ipa2
comes up properly after a reboot. Fine.
Regarding replication: Checking, whether replication works properly is
achieved with "ipa-replica-manage -v list <host>", right? Has to work on
both IPA servers and "last update ended" must be a reasonable recent
timestamp?
Yes, ipa-replica-manage -v list <host> will display the status of the
replication for the domain (user, hosts, ...). The value of "last update
status" must be "Replica acquired successfully: Incremental update
succeeded".
this is working now, thanks again.
If the topology includes multiple CA instances, replication is also
configured for the CA data, and the status can be found using
ipa-csreplica-manage -v list <host>.
I do have 2 CA instances and it appears that i'm not yet out of the woods
here:
---ipa2
$ ipa-csreplica-manage -v list ipa1.example.com
ipa2.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP error:
Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
---
But i will start a new thread for this, if i can't get fixed myself.
Mit freundlichen Gruessen/With best regards,
--Daniel.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
