On 01/31/2014 10:00 AM, Sigbjorn Lie wrote:
> On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>> This worked better than expected. Thank you! :)
>>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays 
>>> any certificates out
>>> of date, and all certificates in need of renewal within 28 days has been 
>>> renewed. The webui also
>>> started working again and things seem to be back to normal.
>>> ipa03 however is still having issues. I could not renew any certificates on 
>>> this server to begin
>>> with, but I managed to renew the certificates for the directory servers by 
>>> changing the xmlrpc
>>> url to another ipa server in /etc/ipa/default.conf and resubmitting these 
>>> requests.
>>> "getcert resubmit -i <request-id" says SUBMITTING and the fails with
>>> NEED_GUIDANCE after a short while for the certificates for the PKI service.
>>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>>> Updated certificate for ipaCert not available".
>>> There is a lot of information in the /var/log/pki-ca/debug, but nothing
>>> that I can easily distinguish as an error from all the other output. 
>>> Anything in particular I
>>> should look for?
>> Ok, so this is a bug in IPA related to python readline. Garbage is
>> getting inserted and causing bad things to happen, 
>> https://fedorahosted.org/freeipa/ticket/4064
>> So the question is, are the certs available or not.
>> A number of the same certificates are shared amongst all the CAs. One
>> does the renewal and stuffs the result into 
>> cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
>> refer to that location for an updated cert and will load them if they are 
>> updated.
>> Look to see if the certs are updated there. Given that you have 2
>> working masters I'm assuming that is the case, so it may just be a matter of 
>> fixing the python.
> I could not get anywhere even after manually patching the python script as 
> mentioned in the ticket
> you provided.
> I ended up removing and re-adding the replica during a maintenance window. 
> For future reference,
> what I did was to remove the replica as per the Identity Management Guide on 
> docs.redhat.com. I
> then re-created the replica installation file and installed the replica.
> At this point Certmonger managed to retrieve new certificates for the expired 
> certificates, but it
> kept segfaulting when it attempted to save the certificate to disk. I 
> restarted certmonger a few
> times, but certmonger just ended up segfaulting over and over. I decided to 
> block the ipa server
> off the network and change the date back to before the certs expired. After 
> the date was changed I
> restarted certmonger. Certmonger managed to save the certs successfully this 
> time and a "getcert
> list" now displays only certificates with an expire date of 2015 or 2016 and 
> a status of
> I changed the date back to correct date and time and removed the iptables 
> rules. The replica now
> works just fine.
> Thank you for your assistance.

Can you give us some core dumps from certmonger to see why it is crashing.
We would like to fix crash bugs if we them.

> Regards,
> Siggi
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to