On 11/10/2014 08:34 AM, Les Stott wrote:
> Hi all,
>
> I have a standard freeipa environment under rhel6.
>
> One of my replica servers, lets call it "serverB" had issues and I eventually
> rebuilt it.
>
> I rebuilt and restored data, but something wasn't right. Replication wasn't
> working. I had tried to re-initialize replication but it didn't help.
>
> The last thing I did was to ....
>
> On serverB
> ipa-server-install --uninstall
> getcert list
> # remove the cert from being tracked (as per info shown after completion of
> ipa-server-install --uninstall
> getcert stop-tracking -i 20131216070540
> rm /var/lib/ipa/replica-info-serverB.mydomain.com.gpg
>
> On server (the master)
> ipa host-del serverB.mydomain.com.gpg
> ipa-replica-manage del serverB.mydomain.com.gpg --force
You do not have to run host-del, "ipa-replica-manage del" should take care of
all records, AFAIK.
> cd /var/lib/ipa
> rm replica-info- serverB.mydomain.com.gpg
>
> This all appeared fine, and seemingly removes serverB completely. So, I then
> set it back up as a replica in the normal way
I am not sure I follow. What did you do exactly ("set it back up as a
replica")? Did you simply reinstall replica with ipa-replica-install or did you
do some other step?
> ,and this worked well. Replication is working and all looks good except for
> the FreeIPA Web interface.
>
> When I try to browse to https://serverB.mydomain.com/ipa/ui/ I get "unknown
> Error" in a popup box.
>
> In the apache error log I see....
> [Mon Nov 10 02:08:37 2014] [error] SSL Library Error: -12195 Peer does not
> recognize and trust the CA that issued your certificate
>
> I am not sure what "Peer" references - serverB locally?
Peer should be the machine where you run the browser. You can check the
Server-Cert in /etc/httpd/alias/ database to see what changed.
> My gut feel is that perhaps there were leftover remnants (possibly in ipa
> httpd config) from after the uninstall and the reinstall didn't overwrite
> them..
I did not reproduce it myself, but it can happen. We have a ticket filed for
https://fedorahosted.org/freeipa/ticket/4639
Workaround would be to remove all contents of this directory before replica
installation. But I would wait with advisory until I see what really happened.
> Can anyone shed any light on the error above?
>
> Thanks in advance,
>
> Les
>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
