Sure thing! I'll send them to you in private.
Dmitri Pal <d...@redhat.com> wrote:
>On 01/31/2014 10:00 AM, Sigbjorn Lie wrote:
>> On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>> This worked better than expected. Thank you! :)
>>>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer
>displays any certificates out
>>>> of date, and all certificates in need of renewal within 28 days has
>been renewed. The webui also
>>>> started working again and things seem to be back to normal.
>>>> ipa03 however is still having issues. I could not renew any
>certificates on this server to begin
>>>> with, but I managed to renew the certificates for the directory
>servers by changing the xmlrpc
>>>> url to another ipa server in /etc/ipa/default.conf and resubmitting
>>>> "getcert resubmit -i <request-id" says SUBMITTING and the fails
>>>> NEED_GUIDANCE after a short while for the certificates for the PKI
>>>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>>>> Updated certificate for ipaCert not available".
>>>> There is a lot of information in the /var/log/pki-ca/debug, but
>>>> that I can easily distinguish as an error from all the other
>output. Anything in particular I
>>>> should look for?
>>> Ok, so this is a bug in IPA related to python readline. Garbage is
>>> getting inserted and causing bad things to happen,
>>> So the question is, are the certs available or not.
>>> A number of the same certificates are shared amongst all the CAs.
>>> does the renewal and stuffs the result into
>cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
>>> refer to that location for an updated cert and will load them if
>they are updated.
>>> Look to see if the certs are updated there. Given that you have 2
>>> working masters I'm assuming that is the case, so it may just be a
>matter of fixing the python.
>> I could not get anywhere even after manually patching the python
>script as mentioned in the ticket
>> you provided.
>> I ended up removing and re-adding the replica during a maintenance
>window. For future reference,
>> what I did was to remove the replica as per the Identity Management
>Guide on docs.redhat.com. I
>> then re-created the replica installation file and installed the
>> At this point Certmonger managed to retrieve new certificates for the
>expired certificates, but it
>> kept segfaulting when it attempted to save the certificate to disk. I
>restarted certmonger a few
>> times, but certmonger just ended up segfaulting over and over. I
>decided to block the ipa server
>> off the network and change the date back to before the certs expired.
>After the date was changed I
>> restarted certmonger. Certmonger managed to save the certs
>successfully this time and a "getcert
>> list" now displays only certificates with an expire date of 2015 or
>2016 and a status of
>> I changed the date back to correct date and time and removed the
>iptables rules. The replica now
>> works just fine.
>> Thank you for your assistance.
>Can you give us some core dumps from certmonger to see why it is
>We would like to fix crash bugs if we them.
>> Freeipa-users mailing list
>Sr. Engineering Manager for IdM portfolio
>Red Hat Inc.
>Looking to carve out IT costs?
>Freeipa-users mailing list
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Freeipa-users mailing list