Sean McLennan via FreeIPA-users wrote:
>> You don't say what distribution or release you are running.
>
> Apologies—I meant to add that and then got distracted. They are both CentoOS
> Stream 9 running 4.9.8 (master) and 4.10.0 (replica). I was actually
> surprised they aren't the same version—I'm not sure how that happened TBH.
>
>> I'd
>> recommend installing {free}ipa-healthcheck and seeing if that detects
>> any issues.
>
> Thank you! I didn't know it existed—that's very useful.
>
> On the master it only identifies that the replica is not functioning
> correctly.
> On the replica, the first thing it identified was the ldap / NSS DB mismatch
> on 'subsystemCert cert-pki-ca'—that I fixed with the instruction on
> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
> and pki-tomcatd now starts. Although oddly ipa-healthcheck is still showing
> it as a error. And it seems other renewed certificates were not updated in
> the replica's ldap either:
Yes, it sure looks that way.
The 404's you see are because the CA didn't successfully start but
tomcat did. So there is no registered servlet associated with the URI.
[snip]
> All of which I guess points to a replication problem? Although changes that
> I've made to users have replicated fine, including ones after the certificate
> renewal and ipa-replica-conncheck doesn't report any problems...
>
> Would 'ipa-replica-manage re-initialize' be a reasonable approach to
> resolving those missing entries?
There are two replication agreements. One for the IPA data
(ipa-replica-manage) and one for the PKI data (ipa-csreplica-manage). It
looks like the IPA agreement is working fine.
I'd try the force-sync command first to see if you can kickstart
replication. If that fails then a re-init is probably in order.
rob
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
