Okay, thanks! Pardon my ignorance, but I am not sure what to do still to resolve the issue. I have 2 other replicas that picked up the renewed certificate fine from the renewal master because they were online.
What do I need to do to get this guy to pick up the renewed certificate? On Thu, Sep 2, 2021 at 4:03 PM Rob Crittenden <[email protected]> wrote: > Russell Jones via FreeIPA-users wrote: > > Hi all, > > > > I have a replica that, while offline due to maintenance, some > > certificates appear to have been auto renewed. Upon bringing the node > > back online the ipa-healthcheck script showed several errors that were > > fixed by re-initializing the replica. > > > > However, the following errors were not fixed by reinitializing: > > > > > > [root@freeipa4 ~]# ipa-healthcheck --output-type human --failures-only | > > grep -v ipahealthcheck.ipa.idns > > WARNING: > > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170451: > > Request id 20200130170451 expires in 26 days > > WARNING: > > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170452: > > Request id 20200130170452 expires in 26 days > > WARNING: > > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170453: > > Request id 20200130170453 expires in 26 days > > WARNING: > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170451: > > Request id 20200130170451 expires in 26 days > > WARNING: > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170452: > > Request id 20200130170452 expires in 26 days > > WARNING: > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170453: > > Request id 20200130170453 expires in 26 days > > > > > > When I try to use getcert resubmit, it shows either: > > > > freeipa4 dogtag-ipa-ca-renew-agent-submit: Updated certificate not > available > > > > or > > > > freeipa4 certmonger: 2021-09-02 15:43:15 [1264] Invalid cookie: u'' > > > > > > Any ideas on how to get this guy healthy again? > > The CA's in IPA are in dogtag parlance "clones". They share most of the > same configuration and certificates. > > One IPA server is selected, the first installed by default, as the > renewal master. It is responsible for renewing the shared certificates > and placing the updated contents into LDAP which will then be replicated > to the other servers and picked up when renewal is needed. > > The first message means that an updated certificate is not available. > The second message was fixed in IPA 4.9.0 in ticket > https://pagure.io/freeipa/issue/8164 > > What this means is that the updated certificates are not available in > LDAP for certmonger to retrieve. They can be found in > cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX under the nickname for each > certificate. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
