Jim Richard wrote: > I think I know what the issue is. > > I had 2 IPA servers, both with CA’s > > I dropped one and rebuilt without the CA but a bunch of clients are > still pointing at this one server that now is without a CA. > > Will rebuild that one with a CA and almost sure that will fix.
I'm rather skeptical of that. Not having a CA should not result in an ACI error. It should internally forward any cert requests to an IPA server that does have a CA and relay the result back to the requester. rob > > <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/> > Jim Richard > <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> > <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> > <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq> > SYSTEM ADMINISTRATOR III > /(646) 338-8905 / > > > PlaceIQ:Alibaba > <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/> > > > > >> On Nov 28, 2016, at 2:39 PM, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Jim Richard wrote: >>> Honestly Im not even sure if something is not working correctly :) >>> >>> All I know is that my httpd, access and krb5 logs are filling up all my >>> disk space extremely quickly and I have no idea why. >>> >>> Centos 6.8 + IPA 3.0 >>> >>> One master and one replica. >>> >>> Are these things related? >>> >>> How do I fix, where do I even start? >>> >>> Thanks ! >>> >>> On the replica the httpd log is constantly getting spammed with: >>> >>> [Thu Nov 24 05:55:18 2016] [error] ipa: INFO: >>> host/[email protected] >>> <mailto:host/[email protected]>: >>> cert_request(uactual cert removed >> .. , add=True): ACIError >>> >>> and on the master the access log is filling up quickly with: >>> >>> 10.1.41.110 - - [24/Nov/2016:06:09:54 +0000] "POST >>> /ca/agent/ca/displayBySerial HTTP/1.1" 200 10106 >> >> Looks like certmonger trying to renew the per-client SSL certificate. >> You can confirm by pulling out the CSR and poking at it with openssl req. >> >> On the client you can try running: ipa-getcert list >> >> This may show more details on why the request was rejected. >> >> rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
