[Freeipa-users] replica creation problems
Josh
jcnt at use.startmail.com
Fri Apr 14 23:56:13 UTC 2017
On 04/14/2017 03:04 AM, Florence Blanc-Renaud wrote:
> Hi Josh,
>
> I did not try this type of setup myself, but I think the issue comes
> from missing root certificates. I would try to run
> $ ipa-cacert-manage --install <issuer B certfile>
> $ ipa-certupdate
> on the master. This command will install issuer B certificate as a
> trusted CA on the master, thus allowing communications with services
> (eg LDAP on replica) using certificates delivered by issuer B.
>
> You may find more information in
> /var/log/dirsrv/slapd-DOMAINNAME/access and errors files. You can also
> check if the root certificates are installed in each LDAP server's NSS
> DB:
> $ certutil -L -d /etc/dirsrv/slapd-DOMAINNAME
> You should find issuer A and issuer B certs with CT,C,C trust flags on
> each machine.
>
> HTH,
> Flo.
Hello Florence,
Your explanation is correct. After
# ipa-cacert-manage install <issuer B root ca file>
# kinit admin
# ipa-certupdate
and staring replica prepared over.
replica configuration completed with no errors.
However I noticed strange ipa-replica-manage behavior:
# ipa-replica-manage del replica_host_name
Connection to 'replica_host_name' failed: Insufficient access: Invalid
credentials
Unable to delete replica 'replica_host_name'
#
Does anyone know what is missing here?
Josh.
More information about the Freeipa-users
mailing list