[Freeipa-users] replica creation problems

[Josh]

On 04/14/2017 03:04 AM, Florence Blanc-Renaud wrote:
> Hi Josh,
>
> I did not try this type of setup myself, but I think the issue comes 
> from missing root certificates. I would try to run
> $ ipa-cacert-manage --install <issuer B certfile>
> $ ipa-certupdate
> on the master. This command will install issuer B certificate as a 
> trusted CA on the master, thus allowing communications with services 
> (eg LDAP on replica) using certificates delivered by issuer B.
>
> You may find more information in 
> /var/log/dirsrv/slapd-DOMAINNAME/access and errors files. You can also 
> check if the root certificates are installed in each LDAP server's NSS 
> DB:
> $ certutil -L -d /etc/dirsrv/slapd-DOMAINNAME
> You should find issuer A and issuer B certs with CT,C,C trust flags on 
> each machine.
>
> HTH,
> Flo. 
Hello Florence,

Your explanation is correct. After

# ipa-cacert-manage install <issuer B root ca file>
# kinit admin
# ipa-certupdate

and staring replica prepared over.

replica configuration completed  with no errors.

However I noticed strange ipa-replica-manage behavior:

# ipa-replica-manage del replica_host_name
Connection to 'replica_host_name' failed: Insufficient access: Invalid 
credentials
Unable to delete replica 'replica_host_name'
#

Does anyone know what is missing here?

Josh.