Hi Rob

This is the only CA master. The one I cloned it from was decommissioned,
reinstalled and then  made to be a replica of this server.

Looks like I'm really stuck.  How do I export the data out so I can
reinstall from scratch, if possible? There are a lot of rules and
configuration data I'd really like to keep.

On Wed, May 20, 2015, 2:32 PM Rob Crittenden <rcrit...@redhat.com> wrote:

> Sina Owolabi wrote:
> > Another key difference I noticed is that the problematic certs have
> > CA:IPA in them, while the working certs have CA:
> > dogtag-ipa-retrieve-agent-submit.
> Ok, the full output is really helpful.
> First an explanation of CA subsystem renewal.
> CA clones are just that, exact clones of each other, which means they
> use the same subsystem certificates for OCSP, audit, etc. This also
> means that at renewal time they need to be renewed on only one master
> and then somehow shared with the ohter clones.
> The initially-installed CA is designated as the renewal master by
> default. It configures certmonger to renew the CA subsytem certificates
> and put the new public cert into a shared area in IPA that will be
> replicated to the other masters.
> The non-renewal masters are configured with a special CA,
> dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
> updated certificate and when available, it installs it.
> So the issue is that it isn't seeing this updated certificate, hence
> The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
> that IPA uses to talk to the CA expired on 04/29.
> So the steps you need to take are:
> 1. Check your other CA masters and see if they have been renewed
> properly (getcert list will tell you, look for expiration in 2017).
> 2. If they have, see if the data was pushed to LDAP
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
> See if there are certificate entries there. Check on multiple masters to
> see if there is a replication issue.
> If the certs are there you can try restarting certmonger to kickstart
> the request.
> rob
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to