I'm unsure if it is related to ticket 6397... Pavel Vomacka <[email protected]> writes:
> it is caused by missing canonical name on services which were created > in older versions of FreeIPA. Fixed ticket here: > https://fedorahosted.org/freeipa/ticket/6397 . Symptom: In the web UI on 4.3 on Fedora 24 I have 43 certificates, on the 4.4 replica on CentOS 7.3(CR) I see only 16 certificates. System history: Old master is 4.3, upgraded from 4.2. Both replicas are new with CentOS. Yesterday I moved the CA from 4.3 to a 4.4 IDM. After that I created a certificate for a new service principal. I can see the new certificate I can see in both web UIs. Analysis: Looking at the ipa cli tool, cert-find is consistent with the web UI: 4.3: ----------------------------- Number of entries returned 43 ----------------------------- 4.4: -------------------------------------- Anzahl der zurückgegebenen Einträge 16 -------------------------------------- Looking at both LDAP servers, I do find the same number of entries. I looked at ou=ca,ou=requests,o=ipaca. So replications seems to work fine (and ipa-replica-manage confirms it). Right now I have two guesses: My system is hit with https://fedorahosted.org/freeipa/ticket/6397 I do have some certificates for services, and some for hosts. So my hope would be that updated packages might fix it. But analysing the certificates in the web UI is futil: - On CentOS(freeipa 4.4) the certificate list in web UI only displays serial number, subject, issuing CA(empty), and status(empty). That's not quite correct. In the certificate list I can not select a certificate and can get more details... 4.3 has only serial number, subject, and status, but with valid values. I can click on the serial number and get more details about the certficate. Since I can't see all services in 4.4 due to ticket 6397 more analysis is hard. - using "ipa cert-show --all" on 4.4 has more infos about the certificates, but on 4.3 it doesn't show more info. So right now I'm somewhat stuck how to proceed further. 4.3 seems to be ok, so I hesitate to update the fredora system to 25 (with IPA 4.4). I didn't find the files from #6397 to manually apply the patch, so I'm more or less stuck. Any ideas? Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
