On 7/11/19 10:19 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Florence,
On 7/10/19 4:50 PM, Florence Blanc-Renaud wrote:
Hi,
the issue seems rather to be between IPA framework and dogtag. Is the
CA subsystem enabled?
$ pki-server subsystem-show ca
should display "Enabled: True"
Nope:
[root@ipa1 ~]# pki-server subsystem-show ca
Subsystem ID: ca
Instance ID: pki-tomcat
Enabled: False
Freeipa's top level certificate was signed by an external CA.
The subsystem logs may show more information:
/var/log/pki/pki-tomcat/ca/debug
As you might have imagined, this doesn't exist, either.
I would start by checking if the "subsystemCert cert-pki-ca"
certificate is still valid and consistent in the NSSDB and in ldap:
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert
cert-pki-ca' | grep "Not After"
=> check the date
I've got 4 ipa servers with a local certificate database. One ipa server
(ipa1)
gives me
[root@ipa1 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
'subsystemCert cert-pki-ca' | grep "Not After"
Not After : Wed Jun 23 09:56:18 2021
The other 3 say
[root@ipa0 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
'subsystemCert cert-pki-ca' | grep "Not After"
Not After : Thu Aug 01 08:06:59 2019
[root@ipa2 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
'subsystemCert cert-pki-ca' | grep "Not After"
Not After : Thu Aug 01 08:06:59 2019
[root@ipabak ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
'subsystemCert cert-pki-ca' | grep "Not After"
Not After : Thu Aug 01 08:06:59 2019
Obviously the certificate got renewed on ipa1, but not on the others.
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert
cert-pki-ca' -a
$ ldapsearch -D cn=directory\ manager -W -b o=ipaca uid=pkidbuser
userCertificate
Both commands should return the same content for the certificate
The ldapsearch line returns 2 identical certificates on ipa{0,1,2,bak},
but ipa1 has a 3rd certificate.
Please don't tell me that my ldap instances are out of sync again.
I hate to bring bad news, but it really looks like replication failed
between your instances. Feel free to start a new thread on the users
mailing list if you need assistance.
Coming back to your original issue, ipa host-del should work if executed
on ipa1 (the one with the renewed cert).
flo
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
