Flo,
Thank you very much! You gave me the pointer I needed.
Here are the steps that I took following your instructions.
copied /var/lib/ipa/ra-agent.pem from ipa01 (CA master) to ipa03 (failing
replica)
ra-agent.pem on CA MASTER
[michaelplemmons@ipa01 ~]$ sudo openssl x509 -noout -text -in
/var/lib/ipa/ra-agent.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 234 (0xea)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=MGMT.CROSSCHX.COM, CN=Certificate Authority
Validity
Not Before: Dec 18 16:41:31 2019 GMT
Not After : Dec 7 16:41:31 2021 GMT
Subject: O=MGMT.CROSSCHX.COM, CN=IPA RA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:ef:11:8f:cc:7c:3e:49:b1:14:f0:7c:2e:75:
b2:ba:cc:f9:69:1f:f0:cf:8f:62:69:2c:d0:b0:4f:
1f:c4:fd:dd:2c:be:bf:34:4f:f8:f4:b0:12:76:f4:
16:99:67:f4:50:7b:d3:ea:b4:30:0f:bc:7e:ce:69:
43:5e:c1:b9:21:cc:00:9d:8a:f0:4b:05:ae:0e:d1:
13:a3:a5:dc:cd:d4:59:12:53:b3:f9:fa:66:bd:8d:
e7:75:94:f5:9b:03:26:21:d0:5d:07:67:e4:38:1f:
53:63:0e:5c:d6:da:b9:4e:47:4d:c7:8f:c7:40:55:
fe:74:70:72:10:59:f0:86:9b:31:3a:a0:db:41:6c:
8c:91:68:e0:92:c5:59:4c:c2:77:22:c4:4a:0d:0f:
d5:76:a4:c2:88:9c:52:d7:04:be:76:26:dc:85:70:
7e:e7:f0:27:91:ed:ce:60:04:03:6c:6f:86:ae:a2:
59:50:58:52:83:39:a6:98:2a:b1:a9:9a:7b:1e:f3:
48:f6:65:f3:e4:4f:d6:ea:10:a0:3c:55:06:4c:da:
d5:c5:ec:6e:eb:c1:e1:ea:49:48:a0:eb:eb:56:87:
b6:b2:47:ab:00:55:81:2a:a6:d4:73:5a:fa:d2:31:
9a:ac:fa:b1:5b:2c:67:1a:47:eb:2b:de:d3:cc:2b:
ce:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:68:28:8C:0C:A7:21:40:39:DA:3B:9D:DA:01:00:5E:05:84:2C:7A:7F
Authority Information Access:
OCSP - URI:http://ipa-ca.mgmt.crosschx.com/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
38:aa:62:82:27:20:49:66:11:d3:c3:92:bb:68:51:23:f0:bf:
17:1b:8b:3a:22:46:e9:fa:c7:f4:58:9f:8a:1a:d8:d3:d1:07:
6b:bc:1a:d9:8a:78:ca:7d:d8:6f:65:1f:73:9f:18:db:bd:15:
e4:e4:12:e8:b0:81:9a:07:01:bb:e3:98:b3:b2:ca:f6:28:44:
cf:d9:c3:81:ff:97:32:ec:65:4a:8c:67:44:11:29:8e:aa:e8:
95:36:9a:60:78:cb:f6:a6:28:0b:19:58:6a:3f:a8:d5:4b:bd:
6f:a9:3a:3d:29:36:45:ba:89:6e:19:9f:a2:6c:65:0b:3f:26:
e3:e6:c8:ce:8e:6f:c7:24:da:9f:e0:b7:38:b1:34:24:02:f6:
6d:79:a1:d8:01:c9:ce:51:e5:61:40:8c:3b:3f:57:af:4e:aa:
34:a3:58:10:6b:04:23:72:de:38:bf:2e:1d:3c:36:2c:7a:5c:
da:89:e4:7b:de:9a:b3:d9:10:c6:10:8b:1a:01:66:70:2e:d4:
e4:4c:ea:6d:74:2a:6d:3d:3f:9c:27:e4:39:54:a1:df:bc:70:
4c:b2:ba:62:77:89:b1:f1:65:53:c5:5b:22:81:f4:bb:f1:0a:
d6:b0:dd:2e:f2:0d:a3:56:66:16:fd:3c:92:40:94:8a:ba:de:
10:24:de:b7
---
ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca.ldif
ipaca.ldif
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
usercertificate::
MIIDfjCCAmagAwIBAgICAOowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTEyMTgxNjQxMzFaFw0yMTEyMDcxNjQxMzFaMC0xGjAYBgNVBAoMEU1HTVQuQ1JPU1NDSFguQ09NMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR7xGPzHw+SbEU8HwudbK6zPlpH/DPj2JpLNCwTx/E/d0svr80T/j0sBJ29BaZZ/RQe9PqtDAPvH7OaUNewbkhzACdivBLBa4O0ROjpdzN1FkSU7P5+ma9jed1lPWbAyYh0F0HZ+Q4H1NjDlzW2rlOR03Hj8dAVf50cHIQWfCGmzE6oNtBbIyRaOCSxVlMwncixEoND9V2pMKInFLXBL52JtyFcH7n8CeR7c5gBANsb4auollQWFKDOaaYKrGpmnse80j2ZfPkT9bqEKA8VQZM2tXF7G7rweHqSUig6+tWh7ayR6sAVYEqptRzWvrSMZqs+rFbLGcaR+sr3tPMK84FAgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAUaCiMDKchQDnaO53aAQBeBYQsen8wQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhLWNhLm1nbXQuY3Jvc3NjaHguY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOKpigicgSWYR08OSu2hRI/C/FxuLOiJG6frH9FifihrY09EHa7wa2Yp4yn3Yb2Ufc58Y270V5OQS6LCBmgcBu+OYs7LK9ihEz9nDgf+XMuxlSoxnRBEpjqrolTaaYHjL9qYoCxlYaj+o1Uu9b6k6PSk2RbqJbhmfomxlCz8m4+bIzo5vxyTan+C3OLE0JAL2bXmh2AHJzlHlYUCMOz9Xr06qNKNYEGsEI3LeOL8uHTw2LHpc2onke96as9kQxhCLGgFmcC7U5EzqbXQqbT0/nCfkOVSh37xwTLK6YneJsfFlU8VbIoH0u/EK1rDdLvINo1ZmFv08kkCUirreECTetw==
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;234;O=MGMT.CROSSCHX.COM, CN=Certificate Authority;O=
MGMT.CROSSCHX.COM, CN=IPA RA
---
ldapsearch -D "cn=directory manager" -W -b o=ipaca -LLL -o ldif-wrap=no
"(uid=ipara)" usercertificate description
dn: uid=ipara,ou=people,o=ipaca
usercertificate::
MIIDfjCCAmagAwIBAgICAOowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTEyMTgxNjQxMzFaFw0yMTEyMDcxNjQxMzFaMC0xGjAYBgNVBAoMEU1HTVQuQ1JPU1NDSFguQ09NMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR7xGPzHw+SbEU8HwudbK6zPlpH/DPj2JpLNCwTx/E/d0svr80T/j0sBJ29BaZZ/RQe9PqtDAPvH7OaUNewbkhzACdivBLBa4O0ROjpdzN1FkSU7P5+ma9jed1lPWbAyYh0F0HZ+Q4H1NjDlzW2rlOR03Hj8dAVf50cHIQWfCGmzE6oNtBbIyRaOCSxVlMwncixEoND9V2pMKInFLXBL52JtyFcH7n8CeR7c5gBANsb4auollQWFKDOaaYKrGpmnse80j2ZfPkT9bqEKA8VQZM2tXF7G7rweHqSUig6+tWh7ayR6sAVYEqptRzWvrSMZqs+rFbLGcaR+sr3tPMK84FAgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAUaCiMDKchQDnaO53aAQBeBYQsen8wQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhLWNhLm1nbXQuY3Jvc3NjaHguY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOKpigicgSWYR08OSu2hRI/C/FxuLOiJG6frH9FifihrY09EHa7wa2Yp4yn3Yb2Ufc58Y270V5OQS6LCBmgcBu+OYs7LK9ihEz9nDgf+XMuxlSoxnRBEpjqrolTaaYHjL9qYoCxlYaj+o1Uu9b6k6PSk2RbqJbhmfomxlCz8m4+bIzo5vxyTan+C3OLE0JAL2bXmh2AHJzlHlYUCMOz9Xr06qNKNYEGsEI3LeOL8uHTw2LHpc2onke96as9kQxhCLGgFmcC7U5EzqbXQqbT0/nCfkOVSh37xwTLK6YneJsfFlU8VbIoH0u/EK1rDdLvINo1ZmFv08kkCUirreECTetw==
description: 2;234;O=MGMT.CROSSCHX.COM, CN=Certificate Authority;O=
MGMT.CROSSCHX.COM, CN=IPA RA
The description does not match the order of the master and replica for
issuer and subject
updated ldif file to fix description
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
usercertificate::
MIIDfjCCAmagAwIBAgICAOowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTEyMTgxNjQxMzFaFw0yMTEyMDcxNjQxMzFaMC0xGjAYBgNVBAoMEU1HTVQuQ1JPU1NDSFguQ09NMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR7xGPzHw+SbEU8HwudbK6zPlpH/DPj2JpLNCwTx/E/d0svr80T/j0sBJ29BaZZ/RQe9PqtDAPvH7OaUNewbkhzACdivBLBa4O0ROjpdzN1FkSU7P5+ma9jed1lPWbAyYh0F0HZ+Q4H1NjDlzW2rlOR03Hj8dAVf50cHIQWfCGmzE6oNtBbIyRaOCSxVlMwncixEoND9V2pMKInFLXBL52JtyFcH7n8CeR7c5gBANsb4auollQWFKDOaaYKrGpmnse80j2ZfPkT9bqEKA8VQZM2tXF7G7rweHqSUig6+tWh7ayR6sAVYEqptRzWvrSMZqs+rFbLGcaR+sr3tPMK84FAgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAUaCiMDKchQDnaO53aAQBeBYQsen8wQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhLWNhLm1nbXQuY3Jvc3NjaHguY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOKpigicgSWYR08OSu2hRI/C/FxuLOiJG6frH9FifihrY09EHa7wa2Yp4yn3Yb2Ufc58Y270V5OQS6LCBmgcBu+OYs7LK9ihEz9nDgf+XMuxlSoxnRBEpjqrolTaaYHjL9qYoCxlYaj+o1Uu9b6k6PSk2RbqJbhmfomxlCz8m4+bIzo5vxyTan+C3OLE0JAL2bXmh2AHJzlHlYUCMOz9Xr06qNKNYEGsEI3LeOL8uHTw2LHpc2onke96as9kQxhCLGgFmcC7U5EzqbXQqbT0/nCfkOVSh37xwTLK6YneJsfFlU8VbIoH0u/EK1rDdLvINo1ZmFv08kkCUirreECTetw==
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM;CN=IPA RA,O=
MGMT.CROSSCHX.COM
ran query against ldap
(root)>ldapsearch -D "cn=directory manager" -W -b o=ipaca -LLL -o
ldif-wrap=no "(uid=ipara)" usercertificate description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
usercertificate::
MIIDfjCCAmagAwIBAgICAOowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTEyMTgxNjQxMzFaFw0yMTEyMDcxNjQxMzFaMC0xGjAYBgNVBAoMEU1HTVQuQ1JPU1NDSFguQ09NMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR7xGPzHw+SbEU8HwudbK6zPlpH/DPj2JpLNCwTx/E/d0svr80T/j0sBJ29BaZZ/RQe9PqtDAPvH7OaUNewbkhzACdivBLBa4O0ROjpdzN1FkSU7P5+ma9jed1lPWbAyYh0F0HZ+Q4H1NjDlzW2rlOR03Hj8dAVf50cHIQWfCGmzE6oNtBbIyRaOCSxVlMwncixEoND9V2pMKInFLXBL52JtyFcH7n8CeR7c5gBANsb4auollQWFKDOaaYKrGpmnse80j2ZfPkT9bqEKA8VQZM2tXF7G7rweHqSUig6+tWh7ayR6sAVYEqptRzWvrSMZqs+rFbLGcaR+sr3tPMK84FAgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAUaCiMDKchQDnaO53aAQBeBYQsen8wQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhLWNhLm1nbXQuY3Jvc3NjaHguY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOKpigicgSWYR08OSu2hRI/C/FxuLOiJG6frH9FifihrY09EHa7wa2Yp4yn3Yb2Ufc58Y270V5OQS6LCBmgcBu+OYs7LK9ihEz9nDgf+XMuxlSoxnRBEpjqrolTaaYHjL9qYoCxlYaj+o1Uu9b6k6PSk2RbqJbhmfomxlCz8m4+bIzo5vxyTan+C3OLE0JAL2bXmh2AHJzlHlYUCMOz9Xr06qNKNYEGsEI3LeOL8uHTw2LHpc2onke96as9kQxhCLGgFmcC7U5EzqbXQqbT0/nCfkOVSh37xwTLK6YneJsfFlU8VbIoH0u/EK1rDdLvINo1ZmFv08kkCUirreECTetw==
description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM;CN=IPA RA,O=
MGMT.CROSSCHX.COM
---
Checking status on master
[michaelplemmons@ipa01 ~]$ ldapsearch -D "cn=directory manager" -W -b
o=ipaca -LLL -o ldif-wrap=no "(uid=ipara)" usercertificate description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
usercertificate::
MIIDfTCCAmWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFNR01ULkNST1NTQ0hYLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDEyNDE2NDQxN1oXDTIwMDExNDE2NDQxN1owLTEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHvEY/MfD5JsRTwfC51srrM+Wkf8M+PYmks0LBPH8T93Sy+vzRP+PSwEnb0Fpln9FB70+q0MA+8fs5pQ17BuSHMAJ2K8EsFrg7RE6Ol3M3UWRJTs/n6Zr2N53WU9ZsDJiHQXQdn5DgfU2MOXNbauU5HTcePx0BV/nRwchBZ8IabMTqg20FsjJFo4JLFWUzCdyLESg0P1XakwoicUtcEvnYm3IVwfufwJ5HtzmAEA2xvhq6iWVBYUoM5ppgqsamaex7zSPZl8+RP1uoQoDxVBkza1cXsbuvB4epJSKDr61aHtrJHqwBVgSqm1HNa+tIxmqz6sVssZxpH6yve08wrzgUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBRoKIwMpyFAOdo7ndoBAF4FhCx6fzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EubWdtdC5jcm9zc2NoeC5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAY/9UgdtHuaD5VYJQWBR1482uujsApaMgXfHuacX0wUVHO6BvwzqOAjiM00CG4p3yR1IPwDNKcLyslE7o37/EYZLh8PR+WfPBzM7IjOkjlUnRfHnMIuN9Xu1peQIeYEzCvQSjx23EBoVYBofQE7Yxy1W5/ICAQDTKJMmc4KBGcSb3S1VlJoK/cv1dLF1oLXqZYNwuqVJbj9pOJSG0rN+j9wwGGUt11/MgdnQNIc9CaaXJ3oZz4g4q0ZSVn3TEJUzSusEhq64Zjvq1f41pUfQZvB2INL1kDRiDWkqwnG9xWGU9U9weqa+fQgzTO7zptKnp4zxqZAaz6PFjUjSLZXf2l
usercertificate::
MIIDfjCCAmagAwIBAgICAOowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTEyMTgxNjQxMzFaFw0yMTEyMDcxNjQxMzFaMC0xGjAYBgNVBAoMEU1HTVQuQ1JPU1NDSFguQ09NMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR7xGPzHw+SbEU8HwudbK6zPlpH/DPj2JpLNCwTx/E/d0svr80T/j0sBJ29BaZZ/RQe9PqtDAPvH7OaUNewbkhzACdivBLBa4O0ROjpdzN1FkSU7P5+ma9jed1lPWbAyYh0F0HZ+Q4H1NjDlzW2rlOR03Hj8dAVf50cHIQWfCGmzE6oNtBbIyRaOCSxVlMwncixEoND9V2pMKInFLXBL52JtyFcH7n8CeR7c5gBANsb4auollQWFKDOaaYKrGpmnse80j2ZfPkT9bqEKA8VQZM2tXF7G7rweHqSUig6+tWh7ayR6sAVYEqptRzWvrSMZqs+rFbLGcaR+sr3tPMK84FAgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAUaCiMDKchQDnaO53aAQBeBYQsen8wQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhLWNhLm1nbXQuY3Jvc3NjaHguY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOKpigicgSWYR08OSu2hRI/C/FxuLOiJG6frH9FifihrY09EHa7wa2Yp4yn3Yb2Ufc58Y270V5OQS6LCBmgcBu+OYs7LK9ihEz9nDgf+XMuxlSoxnRBEpjqrolTaaYHjL9qYoCxlYaj+o1Uu9b6k6PSk2RbqJbhmfomxlCz8m4+bIzo5vxyTan+C3OLE0JAL2bXmh2AHJzlHlYUCMOz9Xr06qNKNYEGsEI3LeOL8uHTw2LHpc2onke96as9kQxhCLGgFmcC7U5EzqbXQqbT0/nCfkOVSh37xwTLK6YneJsfFlU8VbIoH0u/EK1rDdLvINo1ZmFv08kkCUirreECTetw==
description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM;CN=IPA RA,O=
MGMT.CROSSCHX.COM
Checking status on replica ipa02
[michaelplemmons@ipa02 ~]$ ldapsearch -D "cn=directory manager" -W -b
o=ipaca -LLL -o ldif-wrap=no "(uid=ipara)" usercertificate description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
usercertificate::
MIIDfTCCAmWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFNR01ULkNST1NTQ0hYLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDEyNDE2NDQxN1oXDTIwMDExNDE2NDQxN1owLTEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHvEY/MfD5JsRTwfC51srrM+Wkf8M+PYmks0LBPH8T93Sy+vzRP+PSwEnb0Fpln9FB70+q0MA+8fs5pQ17BuSHMAJ2K8EsFrg7RE6Ol3M3UWRJTs/n6Zr2N53WU9ZsDJiHQXQdn5DgfU2MOXNbauU5HTcePx0BV/nRwchBZ8IabMTqg20FsjJFo4JLFWUzCdyLESg0P1XakwoicUtcEvnYm3IVwfufwJ5HtzmAEA2xvhq6iWVBYUoM5ppgqsamaex7zSPZl8+RP1uoQoDxVBkza1cXsbuvB4epJSKDr61aHtrJHqwBVgSqm1HNa+tIxmqz6sVssZxpH6yve08wrzgUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBRoKIwMpyFAOdo7ndoBAF4FhCx6fzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EubWdtdC5jcm9zc2NoeC5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAY/9UgdtHuaD5VYJQWBR1482uujsApaMgXfHuacX0wUVHO6BvwzqOAjiM00CG4p3yR1IPwDNKcLyslE7o37/EYZLh8PR+WfPBzM7IjOkjlUnRfHnMIuN9Xu1peQIeYEzCvQSjx23EBoVYBofQE7Yxy1W5/ICAQDTKJMmc4KBGcSb3S1VlJoK/cv1dLF1oLXqZYNwuqVJbj9pOJSG0rN+j9wwGGUt11/MgdnQNIc9CaaXJ3oZz4g4q0ZSVn3TEJUzSusEhq64Zjvq1f41pUfQZvB2INL1kDRiDWkqwnG9xWGU9U9weqa+fQgzTO7zptKnp4zxqZAaz6PFjUjSLZXf2l
usercertificate::
MIIDfjCCAmagAwIBAgICAOowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UECgwRTUdNVC5DUk9TU0NIWC5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTEyMTgxNjQxMzFaFw0yMTEyMDcxNjQxMzFaMC0xGjAYBgNVBAoMEU1HTVQuQ1JPU1NDSFguQ09NMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR7xGPzHw+SbEU8HwudbK6zPlpH/DPj2JpLNCwTx/E/d0svr80T/j0sBJ29BaZZ/RQe9PqtDAPvH7OaUNewbkhzACdivBLBa4O0ROjpdzN1FkSU7P5+ma9jed1lPWbAyYh0F0HZ+Q4H1NjDlzW2rlOR03Hj8dAVf50cHIQWfCGmzE6oNtBbIyRaOCSxVlMwncixEoND9V2pMKInFLXBL52JtyFcH7n8CeR7c5gBANsb4auollQWFKDOaaYKrGpmnse80j2ZfPkT9bqEKA8VQZM2tXF7G7rweHqSUig6+tWh7ayR6sAVYEqptRzWvrSMZqs+rFbLGcaR+sr3tPMK84FAgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAUaCiMDKchQDnaO53aAQBeBYQsen8wQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhLWNhLm1nbXQuY3Jvc3NjaHguY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOKpigicgSWYR08OSu2hRI/C/FxuLOiJG6frH9FifihrY09EHa7wa2Yp4yn3Yb2Ufc58Y270V5OQS6LCBmgcBu+OYs7LK9ihEz9nDgf+XMuxlSoxnRBEpjqrolTaaYHjL9qYoCxlYaj+o1Uu9b6k6PSk2RbqJbhmfomxlCz8m4+bIzo5vxyTan+C3OLE0JAL2bXmh2AHJzlHlYUCMOz9Xr06qNKNYEGsEI3LeOL8uHTw2LHpc2onke96as9kQxhCLGgFmcC7U5EzqbXQqbT0/nCfkOVSh37xwTLK6YneJsfFlU8VbIoH0u/EK1rDdLvINo1ZmFv08kkCUirreECTetw==
description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM;CN=IPA RA,O=
MGMT.CROSSCHX.COM
---
ipa-server-upgrade on failing replica
The upgraded succeeded
On Mon, Dec 23, 2019 at 11:54 AM Florence Blanc-Renaud <f...@redhat.com>
wrote:
> On 12/23/19 4:22 PM, Michael Plemmons via FreeIPA-users wrote:
> > I am updating from 4.6.4-10 to 4.6.5-11 on on CentOS 7. The server I am
> > working on is one of three in a production cluster.
> >
> > The yum update failed and I get the Failed to authenticate to CA REST
> > API in the ipa upgrade log.
> >
> > I have followed past emails that state the contents of
> >
> > ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca
> >
> > must match
> >
> > /var/lib/ipa/ra-agent.pem
> >
> > I did find that they did not match so I created an LDIF file to make the
> > LDAP entry match the uid=ipara,ou=people,o=ipaca
> > match /var/lib/ipa/ra-agent.pem but I still get the same problem.
> >
> > ============
> >
> > BEFORE
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>;CN=IPA RA,O=MG
> > MT.CROSSCHX.COM <http://MT.CROSSCHX.COM>
> > uid: ipara
> > sn: ipara
> > usertype: agentType
> > userstate: 1
> > userCertificate:: MIIDfTC...CUirreECTetw==
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > objectClass: cmsuser
> > cn: ipara
> >
> >
> > snippet of ra-agent.pem
> >
> > MIIDfTCCA...SLZXf2l
> >
> > (root)>openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 7 (0x7)
> > Signature Algorithm: sha256WithRSAEncryption
> > Issuer: O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>,
> > CN=Certificate Authority
> > Validity
> > Not Before: Jan 24 16:44:17 2018 GMT
> > Not After : Jan 14 16:44:17 2020 GMT
> > Subject: O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>,
> CN=IPA RA
> > The serial number, issuer, and subject do not match so I created the
> > following LDIFs.
> >
> > ipaca-1.ldif
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > changetype: modify
> > replace: userCertificate
> > userCertificate: MIIDfTCCA...SLZXf2l
> >
> >
> > ipaca-2.ldif
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > changetype: modify
> > replace: description
> > description: 2;7;O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>,
> > CN=Certificate Authority;O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>,
>
> > CN=IPA RA
> >
> Hi,
>
> the RA agent cert was probably renewed on the CA renewal master but not
> updated on your replica. I'm afraid that you picked the wrong cert when
> updating the LDAP entry (serial=7 is the first RA cert, and after
> renewal the serial number increases).
>
> Can you first check which host is the renewal master? The source of
> truth for the RA agent will be the /var/lib/ipa/ra-agent.pem file on
> this machine. Then refer to the instructions on
>
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/DFEMDNWSCE4FDDFRDUCZYYIIOIUC3RFD/
> (your source of truth will be the RA agent file on the renewal master
> and not the ldap entry, as it was overwritten by your ldapmodify commands).
>
> HTH,
> flo
>
>
> > I then applied them like this
> >
> > # ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca-1.ldif
> > # ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca-2.ldif
> >
> >
> >
> > AFTER
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > usercertificate: MIIDfTCCA...SLZXf2l
> > description: 2;7;O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>,
> > CN=Certificate Authority;O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>,
>
> > CN=IPA RA
> >
> > ===========
> >
> > None of the certs have expired
> >
> > (root)>getcert list | grep -i expires
> > expires: 2020-01-25 18:20:55 UTC
> > expires: 2020-01-14 16:43:59 UTC
> > expires: 2020-01-14 16:43:59 UTC
> > expires: 2020-01-14 16:43:59 UTC
> > expires: 2038-01-24 16:43:58 UTC
> > expires: 2020-01-14 16:44:17 UTC
> > expires: 2021-12-07 15:49:57 UTC
> > expires: 2039-09-04 17:51:34 UTC
> > expires: 2020-01-25 18:17:26 UTC
> > expires: 2020-01-25 18:18:20 UTC
> >
> >
> >
> > When I rerun ipa-server-upgrade manually I still get the same problem. I
> > am able to validate that the contents of the ra-agent.pem file and ldap
> > entry are the same by match content and verifying their MD5 checksum.
> >
> > When I attempt an ipactl stop / ipactl start it notices that the server
> > needs to be upgrade and attempts the upgrade. How do I recover the
> server?
> >
> >
> > --
> > *Mike Plemmons *
> > Senior Infrastructure Engineer
> > 614-427-2411
> >
> >
> > <https://oliveai.com/>
> > 99 E. Main Street
> > Columbus, OH 43215
> > oliveai.com <http://oliveai.com/>
> > Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
>
>
--
*Mike Plemmons *
Senior Infrastructure Engineer
614-427-2411
<https://oliveai.com/>
99 E. Main Street
Columbus, OH 43215
oliveai.com
Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
