Since I needed to make sure I could recover from this if it ever
happened again I went back to an old copy of the VM I'm going through
everything I did on the original. To begin with, it does have the same
issue, the cert won't renew. So I attempted to db2ldif and ldif2db all
of the db's ***WITHOUT*** upgrading FreeIPA, and that didn't work.
Different error than before when running , but I don't have it in
front of me now, so I can't report it. One thing I did notice is that
the exported ldif did not have the extra entries that prevented the
ldif from importing right away last time.

So I rolled back to the original database again, ran the freeipa
upgrade from yum, and then exported the db's and now these entries
show in the db that weren't there before:

Any idea why the upgrade did this? The ldif2db fails with this error
as long as those 2 entries are in the ldif:

[21/Mar/2012:00:59:14 +0000] entryrdn-index - _entryrdn_insert_key:
Same DN (dn: ou=profile,dc=abc,dc=xyz) is already in the entryrdn file
with different ID 146.  Expected ID is 311.
[21/Mar/2012:00:59:14 +0000] - import userRoot: Duplicated DN
detected: "ou=profile,dc=abc,dc=xyz": Entry ID: (311)

Sorry for bringing this back up, but it seems odd that the upgrade
duplicates this entry.


On Tue, Mar 20, 2012 at 5:22 PM, Jimmy <> wrote:
> Cool thanks for the awesome help, y'all.
> On Tue, Mar 20, 2012 at 5:20 PM, Rob Crittenden <> wrote:
>> Jimmy wrote:
>>> I restarted certmonger and it seems to be working. Is there some way
>>> to change the renewal interval so we can simulate this in the lab? I'd
>>> like to see it go through a number of renewals to make sure we don't
>>> keep having this problem.
>> Glad you are up and running again. You can control the interval by tuning
>> knobs in certmonger.conf(5). You want to modify ttls.
>> rob

Freeipa-users mailing list

Reply via email to