Thanks! I compared between a working one and this and the output looked the same. I did not see anything obvious.
Instead of continuing to spin my wheels I decided to go the route of just blowing the whole replica away and recreating it - Problem solved! :-) On Thu, Sep 2, 2021 at 4:47 PM Rob Crittenden <rcrit...@redhat.com> wrote: > Russell Jones wrote: > > Okay, thanks! > > > > Pardon my ignorance, but I am not sure what to do still to resolve the > > issue. I have 2 other replicas that picked up the renewed certificate > > fine from the renewal master because they were online. > > > > What do I need to do to get this guy to pick up the renewed certificate? > > The fact that resubmit says there is no update certificate available > suggests that there may still be a problem with replication. I'd look at > the LDAP location I provided on a working and non-working server to see > if they match. > > rob > > > > > On Thu, Sep 2, 2021 at 4:03 PM Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Russell Jones via FreeIPA-users wrote: > > > Hi all, > > > > > > I have a replica that, while offline due to maintenance, some > > > certificates appear to have been auto renewed. Upon bringing the > node > > > back online the ipa-healthcheck script showed several errors that > were > > > fixed by re-initializing the replica. > > > > > > However, the following errors were not fixed by reinitializing: > > > > > > > > > [root@freeipa4 ~]# ipa-healthcheck --output-type human > > --failures-only | > > > grep -v ipahealthcheck.ipa.idns > > > WARNING: > > > > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170451: > > > Request id 20200130170451 expires in 26 days > > > WARNING: > > > > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170452: > > > Request id 20200130170452 expires in 26 days > > > WARNING: > > > > ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170453: > > > Request id 20200130170453 expires in 26 days > > > WARNING: > > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170451: > > > Request id 20200130170451 expires in 26 days > > > WARNING: > > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170452: > > > Request id 20200130170452 expires in 26 days > > > WARNING: > > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170453: > > > Request id 20200130170453 expires in 26 days > > > > > > > > > When I try to use getcert resubmit, it shows either: > > > > > > freeipa4 dogtag-ipa-ca-renew-agent-submit: Updated certificate not > > available > > > > > > or > > > > > > freeipa4 certmonger: 2021-09-02 15:43:15 [1264] Invalid cookie: u'' > > > > > > > > > Any ideas on how to get this guy healthy again? > > > > The CA's in IPA are in dogtag parlance "clones". They share most of > the > > same configuration and certificates. > > > > One IPA server is selected, the first installed by default, as the > > renewal master. It is responsible for renewing the shared > certificates > > and placing the updated contents into LDAP which will then be > replicated > > to the other servers and picked up when renewal is needed. > > > > The first message means that an updated certificate is not available. > > The second message was fixed in IPA 4.9.0 in ticket > > https://pagure.io/freeipa/issue/8164 > > > > What this means is that the updated certificates are not available in > > LDAP for certmonger to retrieve. They can be found in > > cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX under the nickname for each > > certificate. > > > > rob > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure