Ott, Dennis wrote:
> I may need a little more direction here.
> 
> The output from getcert list-cas does not contain the string 'ca_renewal'. 
> 
> What does this indicate?

I don't have a 2 -> 3 updated server handy so I'm going on best guesses
from reading the code.  It is probably ok. You really just need to be
sure to have a CA that has a submit script of:
dogtag-ipa-retrieve-agent-submit and one for dogtag-ipa-renew-agent

What is the output from list-cas?

The way that CA renewal works is this:

- One CA, the first install by default, is marked as the CA renewal
master. The only thing that distinguishes this master is the way the
renewal scripts are configured. This CA does the actual renewal of the
certificates and pushes the resulting public certs into a shared space
in the IPA LDAP tree
- The other CA's monitor this area, via those two dotag-ipa-* scripts,
and fetch and install updated certificates when one is available.

When a cert is in CA_WORKING state it means that an update should be
available but isn't in the shared tree, so certmonger will try again in
a few hours.

Assuming that certmonger is configured properly then it should just be a
matter of getting the right certs added to the LDAP tree.

rob

> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com] 
> Sent: Tuesday, August 26, 2014 3:53 PM
> To: Ott, Dennis; Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Cert Renewal
> 
> Ott, Dennis wrote:
>> No services are currently running on the replica (and I am hesitant to start 
>> them) but, my recollection is that I did the replica server installation 
>> with the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ 
>> and /etc/pki-ca/ directories in place on the replica.
>>
>> ipa-getcert list shows all certs with a status of: CA_UNREACHABLE (but 
>> then, the service is down. The master also gave this status, even with 
>> the service running, until I followed the cert renewal procedure.)
>>
>> So, with the replica running a CA, should I follow the same procedure that I 
>> used on the master? Anything else to look out for?
> 
> No, the procedure is slightly different on the replica.
> 
> You need to start by ensuring that certmonger has a CA type for renewal:
> 
> # getcert list-cas
> 
> Look for ca_renewal
> 
> Check the CA subsystem certs to see how they are configured.
> 
> The CA should be dogtag-ipa-retrieve-agent-submit for "auditSigningCert 
> cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert cert-pki-ca" 
> and a pre-save command of stop_pkicad and a post-save a restart_pkicad PKI-IPA
> 
> The agent cert, ipaCert, should be using "dogtag-ipa-retrieve-agent-submit", 
> a blank pre-save command and a post-save command of restart_httpd.
> 
> rob
> 
> 
>>
> 
>> Thanks.
>>
>> Dennis
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: Monday, August 25, 2014 6:37 PM
>> To: Ott, Dennis; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Cert Renewal
>>
>> Ott, Dennis wrote:
>>> I have an IPA setup, one master, one replica; originally installed as 
>>> v 2.x and later  updated to v 3.0. For whatever reasons, the certs 
>>> did not automatically renew and the services would no longer start. I 
>>> updated the certs manually on the master using the procedure shown at:
>>>
>>>  
>>>
>>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>
>>>  
>>>
>>> The master is now functioning properly.
>>>
>>>  
>>>
>>>  
>>>
>>> At this point, the IPA service is still stopped on the replica. I 
>>> hesitate to start it for concern it could interfere with the 
>>> now-working master.
>>>
>>>  
>>>
>>> What would be the recommended method for returning the replica to service?
>>
>> It depends on whether the replica. Does it also run a CA? If not then you 
>> can try restarting the certmonger service. This should cause it to fetch new 
>> certificates for the other IPA servers. ipa-getcert list will show you the 
>> status, wait until they are all MONITORING.
>>
>> Once that works then you can safely restart the world. Any changes on the 
>> master will be replicated out, and vice versa.
>>
>> rob
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to