-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In the process of prepping a replication host for changing over the CA I had to use certmonger to generate another certificate on my secondary IPA server. Unfortunately it seems to fail every single time. Here is what I am running and here is what I am getting:
ipa-getcert request -k private/ipa2.abaqis.com.key -f certs/ipa2.abaqis.com.crt -g 2048 The request appears to work, however when checking the list I receive the following: ipa-getcert list -r Number of certificates and requests being tracked: 9. Request ID '20131128202128': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Authentication Error)). stuck: yes key pair storage: type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key' certificate: type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Fine, I check the http logs and get about the same: [Thu Nov 28 22:03:06 2013] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE (Authentication Error) Now as I understand it ipa-getcert is going to theserver listed in /etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the request is coming from the same host). The host principle in /etc/krb5.keytab is used for authentication. I have tested against the primary ipa server and everything works as it should. However, any requests going against ipa2 for certificates are failing. At this point I am stuck, so any suggestions are welcome. - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQEcBAEBAgAGBQJSl8jOAAoJENetaK3v/E7Pzr0IAJ78nYZRDAVzKCuzceWR+qdf sB0VoOyJDPNOOKoQixOhTl01zDPqfIeR7tZBWVpDkg09/KV9HD2J4A5QRfAQHn7F wISncthoLK5DgtLD1FDlvrVIqV7iRjGva8YDnp0lDRYtASUBignrnHez9t+LGdet dJmLkpduyufcwZJWaVi1S4SMqjpsAbJGZK3b6D6PO5pe/bVvxuZq6bU+TxF7Jxy/ cnFV0OG7Mhi0O25p0JVMO5j47Wv5KiJRznzlEP3OpsZkNw7x8SzGdrx/1FpsR+OJ emDP1Cwc1fJfb/pYwXQcNI3dtkMANnrDOlhx7yJbUviHhPFhLz8PF6KSym7nwsU= =tMYx -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users