Hi, I'm having a PKI-tomcat issue that started after upgrade. My configuration has 4 servers with CA, where servers 2, 3 and 4 are replicated from the first one. At first it didn't cause much trouble since all the issue came down to pki-tomcat getting to start about 2 minutes. But it seems that problem is progressed a lot and is causing issues in multiple parts of the system.
After upgrading FreeIPA from 4.1 to 4.2 ipactl would not on the first node start without the --ignore-service-failures. I found that in the menu Authentication-->Certificates I have multiple certificates for same hosts in some cases there were up to 30 duplicates per host and it is unclear what is generating them. Next issue is that if I try to add a new replica with ipa-replica-prepare utility I get an error: "Failed to generate certificate" And the last problem I found is that I am unable to restore a backup. The ipa-restore utility is able to unpack the backup but once I try to start FreeIPA on a new node the pki-tomcat fails to start. And I see this message in debug: ipa: DEBUG: Waiting for CA to start... ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://XXXX:8443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=8 In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these NSMMReplicationPlugin - process_postop: Failed to apply update (57c3cc550002000d0000) error (-1). Aborting replication session(conn=272420 op=6) but I'm not sure if it is directly related to the problem. In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages: Can't create master connection in LdapBoundConnFactory::getConn! Could not connect to LDAP server host bos-admin1.hq.datarobot.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket My guess was that the CA certificate got expired, so I tried to run 'ipa-cacert-manage renew' but it failed with this message: Resubmitting certmonger request '20151222031110' timed out, please check the request manually Don't really know what else to try right now.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project