Ott, Dennis wrote: > No services are currently running on the replica (and I am hesitant to start > them) but, my recollection is that I did the replica server installation with > the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ and > /etc/pki-ca/ directories in place on the replica. > > ipa-getcert list shows all certs with a status of: CA_UNREACHABLE (but then, > the service is down. The master also gave this status, even with the service > running, until I followed the cert renewal procedure.) > > So, with the replica running a CA, should I follow the same procedure that I > used on the master? Anything else to look out for?
No, the procedure is slightly different on the replica. You need to start by ensuring that certmonger has a CA type for renewal: # getcert list-cas Look for ca_renewal Check the CA subsystem certs to see how they are configured. The CA should be dogtag-ipa-retrieve-agent-submit for "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert cert-pki-ca" and a pre-save command of stop_pkicad and a post-save a restart_pkicad PKI-IPA The agent cert, ipaCert, should be using "dogtag-ipa-retrieve-agent-submit", a blank pre-save command and a post-save command of restart_httpd. rob > > Thanks. > > Dennis > > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Monday, August 25, 2014 6:37 PM > To: Ott, Dennis; email@example.com > Subject: Re: [Freeipa-users] Cert Renewal > > Ott, Dennis wrote: >> I have an IPA setup, one master, one replica; originally installed as >> v 2.x and later updated to v 3.0. For whatever reasons, the certs did >> not automatically renew and the services would no longer start. I >> updated the certs manually on the master using the procedure shown at: >> >> >> >> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >> >> >> >> The master is now functioning properly. >> >> >> >> >> >> At this point, the IPA service is still stopped on the replica. I >> hesitate to start it for concern it could interfere with the >> now-working master. >> >> >> >> What would be the recommended method for returning the replica to service? > > It depends on whether the replica. Does it also run a CA? If not then you can > try restarting the certmonger service. This should cause it to fetch new > certificates for the other IPA servers. ipa-getcert list will show you the > status, wait until they are all MONITORING. > > Once that works then you can safely restart the world. Any changes on the > master will be replicated out, and vice versa. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project