Ott, Dennis wrote:
> No services are currently running on the replica (and I am hesitant to start
> them) but, my recollection is that I did the replica server installation with
> the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ and
> /etc/pki-ca/ directories in place on the replica.
> ipa-getcert list shows all certs with a status of: CA_UNREACHABLE (but then,
> the service is down. The master also gave this status, even with the service
> running, until I followed the cert renewal procedure.)
> So, with the replica running a CA, should I follow the same procedure that I
> used on the master? Anything else to look out for?
No, the procedure is slightly different on the replica.
You need to start by ensuring that certmonger has a CA type for renewal:
# getcert list-cas
Look for ca_renewal
Check the CA subsystem certs to see how they are configured.
The CA should be dogtag-ipa-retrieve-agent-submit for "auditSigningCert
cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert
cert-pki-ca" and a pre-save command of stop_pkicad and a post-save a
The agent cert, ipaCert, should be using
"dogtag-ipa-retrieve-agent-submit", a blank pre-save command and a
post-save command of restart_httpd.
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Monday, August 25, 2014 6:37 PM
> To: Ott, Dennis; email@example.com
> Subject: Re: [Freeipa-users] Cert Renewal
> Ott, Dennis wrote:
>> I have an IPA setup, one master, one replica; originally installed as
>> v 2.x and later updated to v 3.0. For whatever reasons, the certs did
>> not automatically renew and the services would no longer start. I
>> updated the certs manually on the master using the procedure shown at:
>> The master is now functioning properly.
>> At this point, the IPA service is still stopped on the replica. I
>> hesitate to start it for concern it could interfere with the
>> now-working master.
>> What would be the recommended method for returning the replica to service?
> It depends on whether the replica. Does it also run a CA? If not then you can
> try restarting the certmonger service. This should cause it to fetch new
> certificates for the other IPA servers. ipa-getcert list will show you the
> status, wait until they are all MONITORING.
> Once that works then you can safely restart the world. Any changes on the
> master will be replicated out, and vice versa.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project