[Freeipa-users] CA: IPA certificates not renewing

Marc Wiatrowski wia at iglass.net
Tue Jun 14 18:07:53 UTC 2016 

On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden <rcritten at redhat.com>
wrote:

> Marc Wiatrowski wrote:
>
>> Hello, I'm having issues with the 3 ipa certificates of type CA: IPA
>> renewing on 2 of 3 replicas.  Particularly on the 2 that are not the CA
>> master.  The other 5 certificates from getcert list do renew and all
>> certificates on the CA master do look to renew.
>>
>> Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64  I've done
>> full updates and rebooted.
>>
>
> Can you check on the replication status for each CA?
>
> $ ipa-csreplica-manage list -v ipa.example.com
>
> The hostname is important because including that will show the agreements
> that host has. Do this for each master with a CA.
>
> The CA being asked to do the renewal is unaware of the current serial
> number so it is refusing to proceed.
>
> rob
>
>

[root at spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net
Directory Manager password:

spider01b.iglass.net
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2016-06-14 17:49:16+00:00
spider01o.iglass.net
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
started
  last update ended: 2016-06-14 17:55:20+00:00

[root at spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net
Directory Manager password:

spider01a.iglass.net
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
started
  last update ended: 2016-06-14 17:57:44+00:00
spider01b.iglass.net
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
started
  last update ended: 2016-06-14 17:57:41+00:00

[root at spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net
Directory Manager password:

spider01a.iglass.net
  last init status: 0 Total update succeeded
  last init ended: 2016-06-03 19:43:12+00:00
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2016-06-14 17:44:17+00:00
spider01o.iglass.net
  last init status: 0 Total update succeeded
  last init ended: 2016-06-03 19:44:38+00:00
  last update status: 0 Replica acquired successfully: Incremental update
started
  last update ended: 2016-06-14 17:57:53+00:00
spider01a.iglass.net
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2016-06-14 17:44:13+00:00
spider01o.iglass.net
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
started
  last update ended: 2016-06-14 17:57:54+00:00


Not sure what this is telling... This an issue with the last being
doubled?  Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/aab79423/attachment.htm>

More information about the Freeipa-users mailing list