[Freeipa-users] replica added, but clients still try renewing certificates with old master
Petr Vobornik
pvoborni at redhat.com
Wed Sep 21 14:38:25 UTC 2016
On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
> hi,
>
> I followed the instructions here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>
> and now after some issues I have a replica with both pki and dns data running
> centos 7.
>
> So now I have 3 replicas:
>
> centos 6.8:
> kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>
> kdc02.unix.iriszorg.nl <http://kdc02.unix.iriszorg.nl>
>
> centos 7.2
> kdc03.unix.iriszorg.nl <http://kdc03.unix.iriszorg.nl>
>
> The replica was created with an agreement to kdc01.unix.iriszorg.nl
> <http://kdc01.unix.iriszorg.nl> which was the master for crl updates. I followed
> the steps to disabled crlcache and crlupdates on the kdc01 and to enable them on
> the kdc03.
>
> So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and uncommented
>
> # Only enable this on servers that are not generating a CRL
> RewriteRule ^/ipa/crl/MasterCRL.bin
> https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> [L,R=301,NC]
>
> and on the kdc03 i commented this out:
>
> # Only enable this on servers that are not generating a CRL
> #RewriteRule ^/ipa/crl/MasterCRL.bin
> https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> [L,R=301,NC]
>
>
> When I try to resubmit certificates from certmonger they still hit the kdc01 web
> server, so the requests hang on an status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at server.
> Certificate operation cannot be completed: Failure decoding Certificate Signing
> Request).
Where does it happen? On arbitrary client which was installed in a past
against the removed kdc01?
If so could you look into /etc/ipa/default.conf and change host option
from kdc01 to the 7.2 IPA sever?
If this is correct then IMO it is quite a serious bug which needs to be
fixed (i.e. DNS discovery needs to be used).
>
>
> Which was the problem on a recent thread on the list (trying to get rid of this
> replica now to fix this problem as well).
>
> So something is not redirecting properly and I would appreciate your assistance.
>
> TIA.
> --
> Groeten,
> natxo
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list