On 04/14/2017 03:04 AM, Florence Blanc-Renaud wrote:
Hi Josh,
I did not try this type of setup myself, but I think the issue comes
from missing root certificates. I would try to run
$ ipa-cacert-manage --install <issuer B certfile>
$ ipa-certupdate
on the master. This command will install issuer B certificate as a
trusted CA on the master, thus allowing communications with services
(eg LDAP on replica) using certificates delivered by issuer B.
You may find more information in
/var/log/dirsrv/slapd-DOMAINNAME/access and errors files. You can also
check if the root certificates are installed in each LDAP server's NSS
DB:
$ certutil -L -d /etc/dirsrv/slapd-DOMAINNAME
You should find issuer A and issuer B certs with CT,C,C trust flags on
each machine.
HTH,
Flo.
Hello Florence,
Your explanation is correct. After
# ipa-cacert-manage install <issuer B root ca file>
# kinit admin
# ipa-certupdate
and staring replica prepared over.
replica configuration completed with no errors.
However I noticed strange ipa-replica-manage behavior:
# ipa-replica-manage del replica_host_name
Connection to 'replica_host_name' failed: Insufficient access: Invalid
credentials
Unable to delete replica 'replica_host_name'
#
Does anyone know what is missing here?
Josh.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
