[Freeipa-users] replica added, but clients still try renewing certificates with old master
Rob Crittenden
rcritten at redhat.com
Fri Sep 23 15:16:26 UTC 2016
Petr Vobornik wrote:
> On 09/21/2016 05:06 PM, Natxo Asenjo wrote:
>> hi Petr,
>>
>> On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik <pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com>> wrote:
>>
>> On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
>>
>> > When I try to resubmit certificates from certmonger they still hit the kdc01 web
>> > server, so the requests hang on an status: CA_UNREACHABLE
>> > ca-error: Server failed request, will retry: 4301 (RPC failed at server.
>> > Certificate operation cannot be completed: Failure decoding Certificate Signing
>> > Request).
>>
>> Where does it happen? On arbitrary client which was installed in a past
>> against the removed kdc01?
>>
>>
>> yes.
>>
>>
>> If so could you look into /etc/ipa/default.conf and change host option
>> from kdc01 to the 7.2 IPA sever?
>>
>>
>> ok, done.
>>
>> In fact, change both the domain as the xmlrpc_uri directives in the global
>> section was necessary. Now It worked :-)
>>
>> So, what should be the correct value for dns discovery for both directives using
>> dns discovery?
>
> I don't think there is a support for DNS discovery in Certmonger. CCing Rob.
That is correct, it uses the value from the ipa config file.
rob
More information about the Freeipa-users
mailing list