[Freeipa-users] Cert Renewal
Ott, Dennis
Dennis.Ott at mckesson.com
Tue Sep 2 23:08:40 UTC 2014
I may need a little more direction here.
The output from getcert list-cas does not contain the string 'ca_renewal'.
What does this indicate?
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Tuesday, August 26, 2014 3:53 PM
To: Ott, Dennis; Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cert Renewal
Ott, Dennis wrote:
> No services are currently running on the replica (and I am hesitant to start them) but, my recollection is that I did the replica server installation with the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ and /etc/pki-ca/ directories in place on the replica.
>
> ipa-getcert list shows all certs with a status of: CA_UNREACHABLE (but
> then, the service is down. The master also gave this status, even with
> the service running, until I followed the cert renewal procedure.)
>
> So, with the replica running a CA, should I follow the same procedure that I used on the master? Anything else to look out for?
No, the procedure is slightly different on the replica.
You need to start by ensuring that certmonger has a CA type for renewal:
# getcert list-cas
Look for ca_renewal
Check the CA subsystem certs to see how they are configured.
The CA should be dogtag-ipa-retrieve-agent-submit for "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert cert-pki-ca" and a pre-save command of stop_pkicad and a post-save a restart_pkicad PKI-IPA
The agent cert, ipaCert, should be using "dogtag-ipa-retrieve-agent-submit", a blank pre-save command and a post-save command of restart_httpd.
rob
>
> Thanks.
>
> Dennis
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Monday, August 25, 2014 6:37 PM
> To: Ott, Dennis; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Cert Renewal
>
> Ott, Dennis wrote:
>> I have an IPA setup, one master, one replica; originally installed as
>> v 2.x and later updated to v 3.0. For whatever reasons, the certs
>> did not automatically renew and the services would no longer start. I
>> updated the certs manually on the master using the procedure shown at:
>>
>>
>>
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>
>>
>>
>> The master is now functioning properly.
>>
>>
>>
>>
>>
>> At this point, the IPA service is still stopped on the replica. I
>> hesitate to start it for concern it could interfere with the
>> now-working master.
>>
>>
>>
>> What would be the recommended method for returning the replica to service?
>
> It depends on whether the replica. Does it also run a CA? If not then you can try restarting the certmonger service. This should cause it to fetch new certificates for the other IPA servers. ipa-getcert list will show you the status, wait until they are all MONITORING.
>
> Once that works then you can safely restart the world. Any changes on the master will be replicated out, and vice versa.
>
> rob
>
More information about the Freeipa-users
mailing list