On 9/9/20 9:58 AM, Stuart McRobert via FreeIPA-users wrote:
Dear flo,
there is only one certificate that failed to renew, and the repair
should (hopefully) be straightforward.
First of all, please confirm that the server is the CA renewal master:
# ipa config-show | grep "CA renewal"
Although I can kinit on other hosts this fails on what I consider to be
our CA master.
kinit sm
kinit: Cannot contact any KDC for realm 'OUR_REALM' while getting
initial credentials
and would normally work up until the expiry.
Hi,
The IPA services are probably stopped. Can you try
# ipactl start --ignore-service-failures
# ldapsearch -H ldap://`hostname` -LLL -o ldif-wrap=no -D 'cn=Directory
Manager' -W '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
This should return an entry dn which contains the name of the renewal
master, for instance:
dn: cn=CA,cn=hostname.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
Warning, if the replication got broken, the result may be different on
other servers. Make sure all the nodes have the same view of who is CA
renewal master.
Once you identify the CA renewal master, the repair procedure needs to
be applied on this node first.
flo
Now if I try from one of our clients
kinit works
ipa config-show | grep "CA renewal"
ipa: ERROR: cannot connect to 'https://PRIMARY_SERVER/ipa/json':
[Errno 111]
Connection refused
which has happened since the expiry and web services etc being
unavailable which seems to make sense.
Attempt on one of the other freeipa servers, kinit works, but ipa
command fails with:
ipa: ERROR: cannot connect to 'https://THIS_SERVER/ipa/json':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
The output should display your hostname. If that's not the case, we
need more information (which host is CA renewal master, are all the
certs valid on this host?)
What would you like me to gather next? I am being cautious as I don't
want the user service to fail, but worry not everything is working as it
should be.
Thanks.
Best wishes
Stuart
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
