Thank you for the tip,
Just created new /root/cacerts.p12. Should I import it to the CA somehow
or just restart the ipa server?
Will reset the new replicate vm to clean CentOS 7 installation without
any leftovers from ipa-replica-install.
--
-- Jani West
On 24.2.2015 17:06, Rob Crittenden wrote:
West, Jani wrote:
Hi,
Validity, status and serials seems to be fine. One interesting pick:
While the installation is not too old it might be installed initially
with FreeIpa 2.x That's why i have to use ldap port 7389 instead of
398.
# getcert list |grep expires
expires: 2016-11-21 13:40:41 UTC
expires: 2016-11-21 13:40:44 UTC
expires: 2016-11-21 13:40:41 UTC
expires: 2016-10-30 09:08:12 UTC
expires: 2016-10-30 09:07:12 UTC
expires: 2016-10-30 09:07:12 UTC
expires: 2016-10-30 09:07:12 UTC
expires: 2016-10-30 09:07:12 UTC
# getcert list -d /etc/httpd/alias -n ipaCert |egrep -i
'(status|expires)'
status: MONITORING
expires: 2016-10-30 09:07:12 UTC
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 31 (0x1f)
# ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca
description
# extended LDIF
#
# LDAPv3
# base <uid=ipara,ou=People,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: description
#
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I suspect you are bootstrapping the replica with expired certs. After
the failed install the certs probably still exist on the replica in
/var/lib/pki-ca/alias. Check the dates.
I think you needsto refresh /root/cacerts.p12 on the master you are
preparing the replica on. In newer IPA we regenerate this on-the-fly
but
it isn't in 3.0. Use PKCS12Export to do this.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
