[Freeipa-users] CA setup and ipa-gertcert questions
Charlie Derwent
shelltoesuperstar at gmail.com
Sat Jan 11 14:20:57 UTC 2014
Hi
I'm experiencing an issue trying to use ipa-getcert on my IPA clients.
When I run a command similar to this
ipa-getcert request -K principal/`hostname` -D `hostname` \
-k /var/lib/ssl/private_keys/`hostname`.pem \
-f /var/lib/ssl/certs/`hostname`.pem
Sometimes it will work, but 9 times out of 10 an "ipa-getcert list" will
show the request failed with a status of CA_UNREACHABLE. I'm fairly certain
it's not a time related issue as I tend to run the command just after
enrolment and our NTP servers are rock solid.
Now please correct me if I'm wrong (because it feels like I am wrong) but I
think this is happening because not all of my replicas are Certificate
Authorities but the clients are still trying to validate their certificate
signing requests with them.
Am I mistaken? Have I misconfigured something? If my theory is correct is
there a way to force the client to only talk to the replica(s) running the
CA service for these types of tasks?
Anyway to try and get round the issue I decided to try and make all my IPA
replicas Certificate Authorities and ran into the issue linked below
Bug 905064 - ipa install error Unable to find preop.pin
https://bugzilla.redhat.com/show_bug.cgi?id=905064
This has stopped me from rolling out the CA functionality across all of my
replicas (and I almost trashed a replica in the process of trying to
work around it).
I'm not really bothered which way I go about solving the problem but would
really appreciate some assistance as it feels like I'm stuck between a rock
and a hard place.
Thanks,
Charlie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140111/a72524f8/attachment.htm>
More information about the Freeipa-users
mailing list