[Freeipa-users] ipa topologysuffix-verify "Topology is disconnected"

Fri Jan 13 12:59:25 UTC 2017

Hi,

After messing around with CERTs on one of the replica's there is
a problem with replication. The topology is simple, just two
hosts.

I am searching for the proper command(s) to make replication
functional again. This is what I see right now (replaced actual
fqdn's with host1 and host2).

On host1 and host2:
# ipa topologysegment-find domain --all
-----------------
1 segment matched
-----------------
  dn: cn=host1-to-host2,cn=domain,cn=topology,cn=ipa,cn=etc,dc=ghs,dc=nl
  Segment name: host1-to-host2
  Left node: host1
  Right node: host2
  Connectivity: left-right
  iparepltoposegmentstatus: autogen
  objectclass: top, iparepltoposegment
----------------------------
Number of entries returned 1
----------------------------

On host1:
# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
  Server host2 can't contact servers: host1

On host2:
# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
  Server host2 can't contact servers: host1

In other words, the same error message on both hosts.

The command to connect (as described in almost every online doc) does not
work anymore.

On host2:
# ipa-replica-manage connect host1
Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.

On host1:
# ipa-replica-manage connect host2
Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.

OK. Try to re-initialize then

On host1:
# ipa topologysegment-reinitialize domain host1-to-host2 --right
-------------------------------------------------------------------------
Replication refresh for segment: "host1-to-host2" requested.
-------------------------------------------------------------------------

Hmm, ok. Now what? Replication refresh is requested, but what is the result?

TL;DR
Above I mentioned that I messed around with CERT's. I wanted to use Let's
Encrypt for a signed CERT on host2. After it was quite a struggle to install
the necessary PEM's here and there. It could very well be that I didn't follow
the correct procedures, but I can only say that I searched the web forth and
back for the correct commands.

So the key problem now is that host2 (with the new CERT) cannot connect to
host1 (with its original self-signed CERT).

How to debug this?
-- 
Kees