I'm experiencing an issue trying to use ipa-getcert on my IPA clients.
When I run a command similar to this
ipa-getcert request -K principal/`hostname` -D `hostname` \
-k /var/lib/ssl/private_keys/`hostname`.pem \
Sometimes it will work, but 9 times out of 10 an "ipa-getcert list" will
show the request failed with a status of CA_UNREACHABLE. I'm fairly certain
it's not a time related issue as I tend to run the command just after
enrolment and our NTP servers are rock solid.
Now please correct me if I'm wrong (because it feels like I am wrong) but I
think this is happening because not all of my replicas are Certificate
Authorities but the clients are still trying to validate their certificate
signing requests with them.
Am I mistaken? Have I misconfigured something? If my theory is correct is
there a way to force the client to only talk to the replica(s) running the
CA service for these types of tasks?
Anyway to try and get round the issue I decided to try and make all my IPA
replicas Certificate Authorities and ran into the issue linked below
Bug 905064 - ipa install error Unable to find preop.pin
This has stopped me from rolling out the CA functionality across all of my
replicas (and I almost trashed a replica in the process of trying to
work around it).
I'm not really bothered which way I go about solving the problem but would
really appreciate some assistance as it feels like I'm stuck between a rock
and a hard place.
Freeipa-users mailing list