Hi, After messing around with CERTs on one of the replica's there is a problem with replication. The topology is simple, just two hosts.
I am searching for the proper command(s) to make replication functional again. This is what I see right now (replaced actual fqdn's with host1 and host2). On host1 and host2: # ipa topologysegment-find domain --all ----------------- 1 segment matched ----------------- dn: cn=host1-to-host2,cn=domain,cn=topology,cn=ipa,cn=etc,dc=ghs,dc=nl Segment name: host1-to-host2 Left node: host1 Right node: host2 Connectivity: left-right iparepltoposegmentstatus: autogen objectclass: top, iparepltoposegment ---------------------------- Number of entries returned 1 ---------------------------- On host1: # ipa topologysuffix-verify domain ======================================================== Replication topology of suffix "domain" contains errors. ======================================================== ------------------------ Topology is disconnected ------------------------ Server host2 can't contact servers: host1 On host2: # ipa topologysuffix-verify domain ======================================================== Replication topology of suffix "domain" contains errors. ======================================================== ------------------------ Topology is disconnected ------------------------ Server host2 can't contact servers: host1 In other words, the same error message on both hosts. The command to connect (as described in almost every online doc) does not work anymore. On host2: # ipa-replica-manage connect host1 Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology. On host1: # ipa-replica-manage connect host2 Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology. OK. Try to re-initialize then On host1: # ipa topologysegment-reinitialize domain host1-to-host2 --right ------------------------------------------------------------------------- Replication refresh for segment: "host1-to-host2" requested. ------------------------------------------------------------------------- Hmm, ok. Now what? Replication refresh is requested, but what is the result? TL;DR Above I mentioned that I messed around with CERT's. I wanted to use Let's Encrypt for a signed CERT on host2. After it was quite a struggle to install the necessary PEM's here and there. It could very well be that I didn't follow the correct procedures, but I can only say that I searched the web forth and back for the correct commands. So the key problem now is that host2 (with the new CERT) cannot connect to host1 (with its original self-signed CERT). How to debug this? -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project