I'm experiencing an issue trying to use ipa-getcert on my IPA clients.

When I run a command similar to this
ipa-getcert request -K principal/`hostname` -D `hostname` \
 -k /var/lib/ssl/private_keys/`hostname`.pem \
 -f /var/lib/ssl/certs/`hostname`.pem

Sometimes it will work, but 9 times out of 10 an "ipa-getcert list" will
show the request failed with a status of CA_UNREACHABLE. I'm fairly certain
it's not a time related issue as I tend to run the command just after
enrolment and our NTP servers are rock solid.

Now please correct me if I'm wrong (because it feels like I am wrong) but I
think this is happening because not all of my replicas are Certificate
Authorities but the clients are still trying to validate their certificate
signing requests with them.

Am I mistaken? Have I misconfigured something? If my theory is correct is
there a way to force the client to only talk to the replica(s) running the
CA service for these types of tasks?

Anyway to try and get round the issue I decided to try and make all my IPA
replicas Certificate Authorities and ran into the issue linked below

Bug 905064 - ipa install error Unable to find preop.pin

This has stopped me from rolling out the CA functionality across all of my
replicas (and I almost trashed a replica in the process of trying to
work around it).

I'm not really bothered which way I go about solving the problem but would
really appreciate some assistance as it feels like I'm stuck between a rock
and a hard place.

Freeipa-users mailing list

Reply via email to