Hi I'm experiencing an issue trying to use ipa-getcert on my IPA clients.
When I run a command similar to this ipa-getcert request -K principal/`hostname` -D `hostname` \ -k /var/lib/ssl/private_keys/`hostname`.pem \ -f /var/lib/ssl/certs/`hostname`.pem Sometimes it will work, but 9 times out of 10 an "ipa-getcert list" will show the request failed with a status of CA_UNREACHABLE. I'm fairly certain it's not a time related issue as I tend to run the command just after enrolment and our NTP servers are rock solid. Now please correct me if I'm wrong (because it feels like I am wrong) but I think this is happening because not all of my replicas are Certificate Authorities but the clients are still trying to validate their certificate signing requests with them. Am I mistaken? Have I misconfigured something? If my theory is correct is there a way to force the client to only talk to the replica(s) running the CA service for these types of tasks? Anyway to try and get round the issue I decided to try and make all my IPA replicas Certificate Authorities and ran into the issue linked below Bug 905064 - ipa install error Unable to find preop.pin https://bugzilla.redhat.com/show_bug.cgi?id=905064 This has stopped me from rolling out the CA functionality across all of my replicas (and I almost trashed a replica in the process of trying to work around it). I'm not really bothered which way I go about solving the problem but would really appreciate some assistance as it feels like I'm stuck between a rock and a hard place. Thanks, Charlie
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users