Sina Owolabi wrote:
Another key difference I noticed is that the problematic certs have
CA:IPA in them, while the working certs have CA:
Ok, the full output is really helpful.
First an explanation of CA subsystem renewal.
CA clones are just that, exact clones of each other, which means they
use the same subsystem certificates for OCSP, audit, etc. This also
means that at renewal time they need to be renewed on only one master
and then somehow shared with the ohter clones.
The initially-installed CA is designated as the renewal master by
default. It configures certmonger to renew the CA subsytem certificates
and put the new public cert into a shared area in IPA that will be
replicated to the other masters.
The non-renewal masters are configured with a special CA,
dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
updated certificate and when available, it installs it.
So the issue is that it isn't seeing this updated certificate, hence
The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
that IPA uses to talk to the CA expired on 04/29.
So the steps you need to take are:
1. Check your other CA masters and see if they have been renewed
properly (getcert list will tell you, look for expiration in 2017).
2. If they have, see if the data was pushed to LDAP
$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
See if there are certificate entries there. Check on multiple masters to
see if there is a replication issue.
If the certs are there you can try restarting certmonger to kickstart
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project