I think the CA is working, but I don't know for sure and how to verify it.
At least there are no expired certs on both ipa hosts
[root@ipa1 ~]# getcert list | grep expires
expires: 2025-11-29 13:19:40 CET
expires: 2025-04-15 16:27:34 CEST
expires: 2025-04-15 16:26:44 CEST
expires: 2025-04-15 16:27:14 CEST
expires: 2037-08-19 16:11:12 CEST
expires: 2025-04-15 16:27:54 CEST
expires: 2025-04-15 16:27:04 CEST
expires: 2040-02-12 12:46:50 CET
expires: 2025-05-29 16:12:51 CEST
expires: 2026-01-26 13:48:23 CET
[root@ipa2 ~]# getcert list | grep expires
expires: 2027-02-16 10:42:29 CET
expires: 2027-02-16 10:42:51 CET
expires: 2025-04-15 16:27:04 CEST
expires: 2027-02-16 10:43:26 CET
The healthcheck showed some "group is not correct" and "files are to
permissive" which I resolved.
Now I have these to checks which do not tell me anything
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
"msg": "No KDC workers defined in {sysconfig}"
Am Di., 18. Feb. 2025 um 15:22 Uhr schrieb Rob Crittenden via FreeIPA-users
<[email protected]>:
> Boris wrote:
> > Hi Rob,
> >
> > I have two hosts: ipa1 and ipa2
> >
> > ipa1:
> > Fedora 37
> > freeipa-server-4.10.1-1.fc37.x86_64
> > Managed suffixes: domain, ca
> > running with ipactl start --force because the update is not working (The
> > ipa-server-upgrade command failed, exception: RemoteRetrieveError:
> > Failed to authenticate to CA REST API).
> > I tried to upgrade, but the upgrade did not go through.
>
> Your existing CA is having issues. I'd start by checking that your CA
> certificates are still valid: getcert list | grep expires
>
> You might also try installing the freeipa-healthcheck package and
> running ipa-healthcheck. Expect a lot of errors since it won't be able
> to connect to the CA but it will also check the validity dates, etc.
>
> > ipa2:
> > Fedora 35
> > freeipa-server-4.9.11-1.fc35.x86_64
> > Managed suffixes: domain
> >
> > So my thought process was: if it can not authenticate against the CA
> > REST API, I need to add the CA capability to ipa2
>
> You need to authenticate to the CA to create a clone of it. You can't
> install another CA until you get your existing one working.
>
> rob
>
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
