Timothy Geier wrote:

On Feb 28, 2016, at 2:15 AM, Timothy Geier <tge...@accertify.com
<mailto:tge...@accertify.com>> wrote:

On Feb 23, 2016, at 4:22 AM, Ludwig Krispenz <lkris...@redhat.com
<mailto:lkris...@redhat.com>> wrote:

On 02/22/2016 11:51 PM, Timothy Geier wrote:

What’s the established procedure to start a 389 instance without any
replication agreements enabled?  The only thing that seemed close on
seems risky and couldn’t be done
trivially in a production environment.
no, this is about how to get out of problems when replication could
no longer synchronize its csn time generation, either by too many
accumulate time drifts o playing with system time, hope you don't
have to go thru this.

Enabling disabling a replication agreement can be done by setting the
configuration parameter:

look for replication agreements (entries with
objectclass=nsDS5ReplicationAgreement) and set
nsds5ReplicaEnabled: off

you can do this with an ldapmodify when the server is running or by
editing /etc/dirsrv/slapd-<INSTANCE>/dse.ldif when teh server is stopped

Thanks for the procedure..the good news is this worked quite well in
making sure that 389 didn’t crash immediately after startup.  The bad
news is that the certificates still didn’t renew due to

Server at "http://master_server:8080/ca/ee/ca/profileSubmit
replied: Profile caServerCert Not Found

which was the same error in getcert list I saw that one time 389
didn’t crash right away.  At least now this can be further
troubleshooted without worrying about 389.

To follow up on this issue, we haven’t been able to get any further
since last month due to the missing caServerCert profile..the
configuration files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
and are identical.   The pki-ca package
passes rpm -V as well.   Are there any other troubleshooting steps we
can take?

Maybe Endi or Ade have some ideas why the CA isn't recognizing the profile.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to