West, Jani wrote:
> Hi,
> 
> Validity, status and serials seems to be fine. One interesting pick:
> While the installation is not too old it might be installed initially
> with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398.
> 
> # getcert list |grep expires
>     expires: 2016-11-21 13:40:41 UTC
>     expires: 2016-11-21 13:40:44 UTC
>     expires: 2016-11-21 13:40:41 UTC
>     expires: 2016-10-30 09:08:12 UTC
>     expires: 2016-10-30 09:07:12 UTC
>     expires: 2016-10-30 09:07:12 UTC
>     expires: 2016-10-30 09:07:12 UTC
>     expires: 2016-10-30 09:07:12 UTC
> # getcert list -d /etc/httpd/alias -n ipaCert |egrep  -i '(status|expires)'
>     status: MONITORING
>     expires: 2016-10-30 09:07:12 UTC
> # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
>         Serial Number: 31 (0x1f)
> # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca
> description
> # extended LDIF
> #
> # LDAPv3
> # base <uid=ipara,ou=People,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: description
> #
> 
> # ipara, people, ipaca
> dn: uid=ipara,ou=people,o=ipaca
> description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 

I suspect you are bootstrapping the replica with expired certs. After
the failed install the certs probably still exist on the replica in
/var/lib/pki-ca/alias. Check the dates.

I think you needsto refresh /root/cacerts.p12 on the master you are
preparing the replica on. In newer IPA we regenerate this on-the-fly but
it isn't in 3.0. Use PKCS12Export to do this.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to