Re: [Freeipa-users] Replica Cert failed to renew ...

2014-08-06 Thread Martin Kosek
Right, the processing route may not seem obvious. certmonger uses the server from /etc/ipa/default.conf. This server does not necessarily need to also run CA, we count with that option. When certmonger wants to renew or request a certificate, it calls cert-request API call on that server. The API

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-08-05 Thread Matt Bryant
Hmmm so question here .. our domain was originally installed as a 2.x and upgraded to 3.x .. I installed the replicas using the ipa-replica-prepare etc but the CA dirsrv instance was never copied over or started on the replicas (ie no slapd-PKI-* around) .. yet /etc/ipa/defaults.conf points

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-07-31 Thread Martin Kosek
On 07/31/2014 07:49 AM, Matt Bryant wrote: All, Got an issue with an IPA replica in that the certs in /etc/httpd/alias /etc/dirsrv/slapd-IPA-REALM have expired. I assume that this replica does not have a CA and we are only dealing with service HTTPD and DIRSRV service certificates. Have

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-07-31 Thread Martin Kosek
(Adding back the users list as this may be interesting for everyone) Ok, the steps suggested below should help. If the DS does not want to start at all because of the expired certificate, you can also edit /etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv service is