[Freeipa-users] restored replica ssl issue
Martin Kosek
mkosek at redhat.com
Mon Nov 10 11:49:46 UTC 2014
On 11/10/2014 08:34 AM, Les Stott wrote:
> Hi all,
>
> I have a standard freeipa environment under rhel6.
>
> One of my replica servers, lets call it "serverB" had issues and I eventually rebuilt it.
>
> I rebuilt and restored data, but something wasn't right. Replication wasn't working. I had tried to re-initialize replication but it didn't help.
>
> The last thing I did was to ....
>
> On serverB
> ipa-server-install --uninstall
> getcert list
> # remove the cert from being tracked (as per info shown after completion of ipa-server-install --uninstall
> getcert stop-tracking -i 20131216070540
> rm /var/lib/ipa/replica-info-serverB.mydomain.com.gpg
>
> On server (the master)
> ipa host-del serverB.mydomain.com.gpg
> ipa-replica-manage del serverB.mydomain.com.gpg --force
You do not have to run host-del, "ipa-replica-manage del" should take care of
all records, AFAIK.
> cd /var/lib/ipa
> rm replica-info- serverB.mydomain.com.gpg
>
> This all appeared fine, and seemingly removes serverB completely. So, I then set it back up as a replica in the normal way
I am not sure I follow. What did you do exactly ("set it back up as a
replica")? Did you simply reinstall replica with ipa-replica-install or did you
do some other step?
> ,and this worked well. Replication is working and all looks good except for the FreeIPA Web interface.
>
> When I try to browse to https://serverB.mydomain.com/ipa/ui/ I get "unknown Error" in a popup box.
>
> In the apache error log I see....
> [Mon Nov 10 02:08:37 2014] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>
> I am not sure what "Peer" references - serverB locally?
Peer should be the machine where you run the browser. You can check the
Server-Cert in /etc/httpd/alias/ database to see what changed.
> My gut feel is that perhaps there were leftover remnants (possibly in ipa httpd config) from after the uninstall and the reinstall didn't overwrite them..
I did not reproduce it myself, but it can happen. We have a ticket filed for
https://fedorahosted.org/freeipa/ticket/4639
Workaround would be to remove all contents of this directory before replica
installation. But I would wait with advisory until I see what really happened.
> Can anyone shed any light on the error above?
>
> Thanks in advance,
>
> Les
>
>
>
More information about the Freeipa-users
mailing list