On 01-10-2020 22:05, Kees Bakker via FreeIPA-users wrote: > On 01-10-2020 20:33, Rob Crittenden wrote: >> Kees Bakker via FreeIPA-users wrote: >>> Can I safely do the following? >>> >>> ipa-getcert resubmit -i 20181127141739 >>> ipa-getcert resubmit -i 20181127141749 >>> ipa-getcert resubmit -i 20181127141750 >>> ipa-getcert resubmit -i 20181127141751 >> No. Only the renewal master should attempt renewing the certificates. > That conflicts with a remark from Florence in a thread with the subject > "Replica not renewing IPA certificates" in January this year on this mailing > list. > > "Since you are hitting the issue 8164, you can manually force the renewal > on the replica (once the CA renewal master has actually renewed the > cert) with getcert resubmit." > > and the feedback from Roderick was > > "Thank you very much! The getcert resubmit has successfully renewed all > the certificates in need of renewal." > > I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use it? > > And, if not, how is the renewal re-triggered (assuming I have manually patched > /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie > problem). Restarting certmonger did not help. Restarting all of IPA did not > help. > -- Kees >
Anyway, I decided to take a chance and just do it. Not with the ipa-getcert command but with getcert. getcert resubmit -i 20181127141751 getcert resubmit -i 20181127141750 getcert resubmit -i 20181127141749 getcert resubmit -i 20181127141739 That worked. okt 02 21:15:15 rotte.ghs.nl certmonger[184791]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:16:34 rotte.ghs.nl certmonger[185194]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:17:46 rotte.ghs.nl certmonger[185599]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:18:46 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[185607]: Updated certificate not available That last line is the result of resubmitting IPA RA. I have manually copied /var/lib/ipa/ra-agent.* from the renewal master to this machine. I think all is well now. -- Kees _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
