On 01/31/2014 10:00 AM, Sigbjorn Lie wrote:
> On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>> This worked better than expected. Thank you! :)
>>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays
>>> any certificates out
>>> of date, and all certificates in need of renewal within 28 days has been
>>> renewed. The webui also
>>> started working again and things seem to be back to normal.
>>> ipa03 however is still having issues. I could not renew any certificates on
>>> this server to begin
>>> with, but I managed to renew the certificates for the directory servers by
>>> changing the xmlrpc
>>> url to another ipa server in /etc/ipa/default.conf and resubmitting these
>>> "getcert resubmit -i <request-id" says SUBMITTING and the fails with
>>> NEED_GUIDANCE after a short while for the certificates for the PKI service.
>>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>>> Updated certificate for ipaCert not available".
>>> There is a lot of information in the /var/log/pki-ca/debug, but nothing
>>> that I can easily distinguish as an error from all the other output.
>>> Anything in particular I
>>> should look for?
>> Ok, so this is a bug in IPA related to python readline. Garbage is
>> getting inserted and causing bad things to happen,
>> So the question is, are the certs available or not.
>> A number of the same certificates are shared amongst all the CAs. One
>> does the renewal and stuffs the result into
>> cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
>> refer to that location for an updated cert and will load them if they are
>> Look to see if the certs are updated there. Given that you have 2
>> working masters I'm assuming that is the case, so it may just be a matter of
>> fixing the python.
> I could not get anywhere even after manually patching the python script as
> mentioned in the ticket
> you provided.
> I ended up removing and re-adding the replica during a maintenance window.
> For future reference,
> what I did was to remove the replica as per the Identity Management Guide on
> docs.redhat.com. I
> then re-created the replica installation file and installed the replica.
> At this point Certmonger managed to retrieve new certificates for the expired
> certificates, but it
> kept segfaulting when it attempted to save the certificate to disk. I
> restarted certmonger a few
> times, but certmonger just ended up segfaulting over and over. I decided to
> block the ipa server
> off the network and change the date back to before the certs expired. After
> the date was changed I
> restarted certmonger. Certmonger managed to save the certs successfully this
> time and a "getcert
> list" now displays only certificates with an expire date of 2015 or 2016 and
> a status of
> I changed the date back to correct date and time and removed the iptables
> rules. The replica now
> works just fine.
> Thank you for your assistance.
Can you give us some core dumps from certmonger to see why it is crashing.
We would like to fix crash bugs if we them.
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list