West, Jani wrote: > Hi, > > Validity, status and serials seems to be fine. One interesting pick: > While the installation is not too old it might be installed initially > with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398. > > # getcert list |grep expires > expires: 2016-11-21 13:40:41 UTC > expires: 2016-11-21 13:40:44 UTC > expires: 2016-11-21 13:40:41 UTC > expires: 2016-10-30 09:08:12 UTC > expires: 2016-10-30 09:07:12 UTC > expires: 2016-10-30 09:07:12 UTC > expires: 2016-10-30 09:07:12 UTC > expires: 2016-10-30 09:07:12 UTC > # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)' > status: MONITORING > expires: 2016-10-30 09:07:12 UTC > # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial > Serial Number: 31 (0x1f) > # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca > description > # extended LDIF > # > # LDAPv3 > # base <uid=ipara,ou=People,o=ipaca> with scope subtree > # filter: (objectclass=*) > # requesting: description > # > > # ipara, people, ipaca > dn: uid=ipara,ou=people,o=ipaca > description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > >
I suspect you are bootstrapping the replica with expired certs. After the failed install the certs probably still exist on the replica in /var/lib/pki-ca/alias. Check the dates. I think you needsto refresh /root/cacerts.p12 on the master you are preparing the replica on. In newer IPA we regenerate this on-the-fly but it isn't in 3.0. Use PKCS12Export to do this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
