[Freeipa-users] Certificate system unavailable
Rob Crittenden
rcritten at redhat.com
Fri Jan 17 15:37:06 UTC 2014
Sigbjorn Lie wrote:
>
> This worked better than expected. Thank you! :)
>
> ipa01 and ipa02 seem to be happy again, "getcert list" no longer
> displays any certificates out of date, and all certificates in need of
> renewal within 28 days has been renewed. The webui also started working
> again and things seem to be back to normal.
>
> ipa03 however is still having issues. I could not renew any certificates
> on this server to begin with, but I managed to renew the certificates
> for the directory servers by changing the xmlrpc url to another ipa
> server in /etc/ipa/default.conf and resubmitting these requests.
>
> "getcert resubmit -i <request-id" says SUBMITTING and the fails with
> NEED_GUIDANCE after a short while for the certificates for the PKI service.
>
> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
> Updated certificate for ipaCert not available".
>
> There is a lot of information in the /var/log/pki-ca/debug, but nothing
> that I can easily distinguish as an error from all the other output.
> Anything in particular I should look for?
Ok, so this is a bug in IPA related to python readline. Garbage is
getting inserted and causing bad things to happen,
https://fedorahosted.org/freeipa/ticket/4064
So the question is, are the certs available or not.
A number of the same certificates are shared amongst all the CAs. One
does the renewal and stuffs the result into
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs refer to that
location for an updated cert and will load them if they are updated.
Look to see if the certs are updated there. Given that you have 2
working masters I'm assuming that is the case, so it may just be a
matter of fixing the python.
rob
More information about the Freeipa-users
mailing list