On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>
>>
>> This worked better than expected. Thank you! :)
>>
>>
>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays 
>> any certificates out
>> of date, and all certificates in need of renewal within 28 days has been 
>> renewed. The webui also
>> started working again and things seem to be back to normal.
>>
>> ipa03 however is still having issues. I could not renew any certificates on 
>> this server to begin
>> with, but I managed to renew the certificates for the directory servers by 
>> changing the xmlrpc
>> url to another ipa server in /etc/ipa/default.conf and resubmitting these 
>> requests.
>>
>> "getcert resubmit -i <request-id" says SUBMITTING and the fails with
>> NEED_GUIDANCE after a short while for the certificates for the PKI service.
>>
>>
>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>> Updated certificate for ipaCert not available".
>>
>>
>> There is a lot of information in the /var/log/pki-ca/debug, but nothing
>> that I can easily distinguish as an error from all the other output. 
>> Anything in particular I
>> should look for?
>
> Ok, so this is a bug in IPA related to python readline. Garbage is
> getting inserted and causing bad things to happen, 
> https://fedorahosted.org/freeipa/ticket/4064
>
>
> So the question is, are the certs available or not.
>
>
> A number of the same certificates are shared amongst all the CAs. One
> does the renewal and stuffs the result into 
> cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
> refer to that location for an updated cert and will load them if they are 
> updated.
>
> Look to see if the certs are updated there. Given that you have 2
> working masters I'm assuming that is the case, so it may just be a matter of 
> fixing the python.
>

I could not get anywhere even after manually patching the python script as 
mentioned in the ticket
you provided.


I ended up removing and re-adding the replica during a maintenance window. For 
future reference,
what I did was to remove the replica as per the Identity Management Guide on 
docs.redhat.com. I
then re-created the replica installation file and installed the replica.

At this point Certmonger managed to retrieve new certificates for the expired 
certificates, but it
kept segfaulting when it attempted to save the certificate to disk. I restarted 
certmonger a few
times, but certmonger just ended up segfaulting over and over. I decided to 
block the ipa server
off the network and change the date back to before the certs expired. After the 
date was changed I
restarted certmonger. Certmonger managed to save the certs successfully this 
time and a "getcert
list" now displays only certificates with an expire date of 2015 or 2016 and a 
status of
MONTORING.

I changed the date back to correct date and time and removed the iptables 
rules. The replica now
works just fine.

Thank you for your assistance.


Regards,
Siggi





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to