[Freeipa-users] Re: Internal Database Error encountered: Could not connect to LDAP server host idmipa02.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: Authentication failed (48)

[TomK via FreeIPA-users]

On 2022-09-25 12:42 a.m., TomK via FreeIPA-users wrote:
On 2022-09-25 12:38 a.m., TomK via FreeIPA-users wrote:
Hey Everyone!
Wondering if anyone could help nudge me along in the right direction 
on this one.  Getting the following on my FreeIPA master and replica:

Internal Database Error encountered: Could not connect to LDAP server 
host idmipa01.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: 
Authentication failed (48)

Internal Database Error encountered: Could not connect to LDAP server 
host idmipa02.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: 
Authentication failed (48)

These appeared after some power outages occurred 2-3 times and both 
hosts were affected.  Went over a few pages online to try to get to 
the bottom of these errors on these VM's however no luck so far:


https://access.redhat.com/solutions/3081821
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ 


and about a dozen other pages with little luck.


Here's what I tried. First, wanted to and did kick off the following 
on idmipa02:

ipa-cacert-manage renew

I've read on a few posts that command will cause the running server 
to become the renewal master, so was cautious to check first:

[idmipa01]
# ipa config-show | grep 'IPA CA renewal master'
  IPA CA renewal master: idmipa02.nix.mds.xyz


[idmipa02]
# ipa config-show | grep 'IPA CA renewal master'
  IPA CA renewal master: idmipa02.nix.mds.xyz


Checked the certs and indeed the serial was different:

# ldapsearch -D 'cn=directory manager' -W -b 
uid=pkidbuser,ou=people,o=ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=pkidbuser,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# pkidbuser, people, ipaca
dn: uid=pkidbuser,ou=people,o=ipaca
userPassword:: e1NTSEE1MTJ9NUs3N......................................g4
description: 2;26;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA 
Subsystem,O=NIX
 .MDS.XYZ
seeAlso: CN=CA Subsystem,O=NIX.MDS.XYZ
userCertificate:: MIIDdjCCAl6............................IYL9mJQXhHIxpc=
userCertificate:: MIIDcTCCAlmgAwIBAg.........Mdr8SvD9uWfMPwUE4Tf2csf0z+Z
userCertificate:: MIIDcTCCAlmgA..............yShSmujM9PJrJPBBjLmTCIle9Xl
userCertificate:: MIIDdDCCAlygAwIBAg......................cgDVlPYm3LmKk+
userstate: 1
usertype: agentType
mail:
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert 
cert-pki-ca' -a
-----BEGIN CERTIFICATE-----
MIIDdDC..........................................dJmcMKreZ7cgDVlPYm3LmKk+ 

-----END CERTIFICATE-----


# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert 
cert-pki-ca' |grep -i serial
        Serial Number: 268369925 (0xfff0005)

So updated it using:

ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -W << EOF
dn:uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;268369925;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA 
Subsystem,O=NIX.MDS.XYZ
EOF


Then verified that only the serial changed (the cert was already in 
the list anyway so did not need to change) by comparing the before 
and after:


# diff 1.txt 2.txt
11a12,13
> description: 2;268369925;CN=Certificate 
Authority,O=NIX.MDS.XYZ;CN=CA Subsyste
>  m,O=NIX.MDS.XYZ
14,15d15
< description: 2;26;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA 
Subsystem,O=NIX
<  .MDS.XYZ


Confirmed trust attributes are fine:


certutil -d /etc/dirsrv/slapd-NIX-MDS-XYZ/ -L

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert u,u,u
NIX.MDS.XYZ IPA CA CT,C,C


Yet on restart on idmipa02, still the same issue:


# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in 
case that a non-critical service failed
Aborting ipactl


I have dated snapshots of both servers however, they both are with 
the above mentioned issue.  These hosts were also offline for a 
couple of months meaning cert expiration could be an issue. Likewise, 
I could have caused a slight mess myself trying various online 
solutions that don't always match 100%.

In regards to the certificate expiration, below are the expiration 
dates for various certs though admittedly, I can't be sure of how 
impacting any of these dates are since I don't yet understand the 
usage of each of these certs as much as I would like to, which the 
exception of the subsystemCert:

# getcert list|grep -Ei "expires|status|key pair storage"
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2022-09-10 22:14:56 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2022-09-10 22:13:56 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2022-09-10 22:13:54 UTC
        status: MONITORING
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2036-11-21 07:32:02 UTC
        status: CA_UNREACHABLE
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        expires: 2022-09-21 22:13:57 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2022-08-27 17:23:10 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-NIX-MDS-XYZ/pwdfile.txt'
        expires: 2022-09-29 17:22:58 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        expires: 2022-09-29 17:22:45 UTC
        status: MONITORING
        key pair storage: 
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        expires: 2023-09-25 02:17:17 UTC

Both hosts are reachable from each other.  Verified a couple of ports 
to be sure. F/W is off on both, for the moment and both hosts exist 
on the same VLAN.



FreeIPA Version:

# ipa --version
VERSION: 4.6.6, API_VERSION: 2.231

Plus the pki-tomcat debug log entry on restart:


# tail -f /var/log/pki/pki-tomcat/ca/debug -n 100

[25/Sep/2022:00:05:28][localhost-startStop-1]: 
============================================
[25/Sep/2022:00:05:28][localhost-startStop-1]: =====  DEBUG SUBSYSTEM 
INITIALIZED   =======
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
============================================
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: restart at 
autoShutdown? false
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: autoShutdown 
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: about to 
look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: found 
cert:auditSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: done init 
id=debug
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: initialized 
debug
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: 
initSubsystem id=log
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: ready to 
init id=log
[25/Sep/2022:00:05:28][localhost-startStop-1]: Event filters:
[25/Sep/2022:00:05:28][localhost-startStop-1]: Creating 
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[25/Sep/2022:00:05:28][localhost-startStop-1]: Event filters:
[25/Sep/2022:00:05:28][localhost-startStop-1]: Creating 
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[25/Sep/2022:00:05:28][localhost-startStop-1]: Event filters:
[25/Sep/2022:00:05:28][localhost-startStop-1]: Creating 
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: restart at 
autoShutdown? false
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: autoShutdown 
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: about to 
look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: found 
cert:auditSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: done init 
id=log
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: initialized log
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: 
initSubsystem id=jss
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: ready to 
init id=jss
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: 
initializing JSS subsystem
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: enabled: 
true
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: NSS 
database: /var/lib/pki/pki-tomcat/alias/
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: 
initializing CryptoManager
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: 
initializing SSL
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: random:
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: - 
algorithm: pkcs11prng
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: - 
provider: Mozilla-JSS
[25/Sep/2022:00:05:28][localhost-startStop-1]: JssSubsystem: 
initialization complete
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: restart at 
autoShutdown? false
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: autoShutdown 
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: about to 
look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: found 
cert:auditSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: done init 
id=jss
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: initialized jss
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: 
initSubsystem id=dbs
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine: ready to 
init id=dbs
[25/Sep/2022:00:05:28][localhost-startStop-1]: DBSubsystem: init()  
mEnableSerialMgmt=true
[25/Sep/2022:00:05:28][localhost-startStop-1]: Creating 
LdapBoundConnFactor(DBSubsystem)
[25/Sep/2022:00:05:28][localhost-startStop-1]: LdapBoundConnFactory: init
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
LdapBoundConnFactory:doCloning true
[25/Sep/2022:00:05:28][localhost-startStop-1]: LdapAuthInfo: init()
[25/Sep/2022:00:05:28][localhost-startStop-1]: LdapAuthInfo: init begins
[25/Sep/2022:00:05:28][localhost-startStop-1]: LdapAuthInfo: init ends
[25/Sep/2022:00:05:28][localhost-startStop-1]: init: before 
makeConnection errorIfDown is true
[25/Sep/2022:00:05:28][localhost-startStop-1]: makeConnection: 
errorIfDown true
[25/Sep/2022:00:05:28][localhost-startStop-1]: TCP Keep-Alive: true
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
ldapconn/PKISocketFactory.makeSocket: begins
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
ldapconn/PKISocketFactory.makeSSLSocket: begins
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: Setting desired cert nickname to: 
subsystemCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
ldapconn/PKISocketFactory.makeSSLSocket:  set client auth cert 
nickname subsystemCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
SSLClientCertificatSelectionCB: Entering!
[25/Sep/2022:00:05:28][localhost-startStop-1]: Candidate cert: 
caSigningCert cert-pki-ca
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: returning: null
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
PKIClientSocketListener.handshakeCompleted: begins
[25/Sep/2022:00:05:28][localhost-startStop-1]: SignedAuditLogger: 
event CLIENT_ACCESS_SESSION_ESTABLISH
[25/Sep/2022:00:05:28][localhost-startStop-1]: LogFile: event type not 
selected: CLIENT_ACCESS_SESSION_ESTABLISH
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
PKIClientSocketListener.handshakeCompleted: 
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
[25/Sep/2022:00:05:28][localhost-startStop-1]: 
PKIClientSocketListener.handshakeCompleted: clientIP=192.168.0.45 
serverIP=192.168.0.45 serverPort=31746
[25/Sep/2022:00:05:28][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host idmipa02.nix.mds.xyz port 636 
Error netscape.ldap.LDAPException: Authentication failed (48)
        at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
        at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
        at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
        at 
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:667)
        at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056)
        at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:191)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1458)
        at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1218)
        at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1174)
        at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1066)
        at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5377)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5669)
        at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
        at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
        at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
        at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
        at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
        at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Internal Database Error encountered: Could not connect to LDAP server 
host idmipa02.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: 
Authentication failed (48)
        at 
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:689)
        at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056)
        at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:191)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1458)
        at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1218)
        at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1174)
        at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1066)
        at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5377)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5669)
        at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
        at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
        at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
        at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
        at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
        at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMS.start(): shutdown 
server
[25/Sep/2022:00:05:28][localhost-startStop-1]: CMSEngine.shutdown()



Decided to start fresh and work off of idmipa01 (first host and the 
master) instead.

Eventually I got success (I'll write up a more detailed procedure in the 
next few days from all the RH and FLo's and Fraser's blogs ):

getcert list|grep -Ei "Request ID|status:|stuck:|expires"
Request ID '20180122053031':
        status: MONITORING
        stuck: no
        expires: 2024-09-15 05:15:58 UTC
Request ID '20180122053032':
        status: MONITORING
        stuck: no
        expires: 2024-09-15 05:09:34 UTC
Request ID '20180122053033':
        status: MONITORING
        stuck: no
        expires: 2024-09-15 05:14:47 UTC
Request ID '20180122053034':
        status: MONITORING
        stuck: no
        expires: 2042-09-11 09:07:22 UTC
Request ID '20180122053035':
        status: MONITORING
        stuck: no
        expires: 2024-08-31 09:03:44 UTC
Request ID '20180122053036':
        status: MONITORING
        stuck: no
        expires: 2024-08-31 09:03:43 UTC
Request ID '20180122053037':
        status: MONITORING
        stuck: no
        expires: 2024-09-26 05:16:52 UTC
Request ID '20180122053042':
        status: MONITORING
        stuck: no
        expires: 2024-09-26 05:16:38 UTC
Request ID '20180122053135':
        status: MONITORING
        stuck: no
        expires: 2023-09-26 00:54:45 UTC

My question is now how do I replciate to the secondary master or would I 
have to regenerate all certs there?

# ipa-replica-manage list -v
idmipa01.nix.mds.xyz: master
idmipa02.nix.mds.xyz: master

# ipa-replica-manage list -v idmipa02.nix.mds.xyz
idmipa01.nix.mds.xyz: replica
  last update status: Error (18) Replication error acquiring replica: 
Incremental update transient warning.  Backing off, will retry update 
later. (transient warning)
  last update ended: 1970-01-01 00:00:00+00:00

# ipa-replica-manage list -v idmipa01.nix.mds.xyz
idmipa02.nix.mds.xyz: replica
  last update status: Error (0) Replica acquired successfully: 
Incremental update succeeded
  last update ended: 2022-09-26 05:40:34+00:00

--
Thx,
TK.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue