[Freeipa-users] ipa topologysuffix-verify "Topology is disconnected"
Kees Bakker
keesb at ghs.com
Fri Jan 13 12:59:25 UTC 2017
Hi,
After messing around with CERTs on one of the replica's there is
a problem with replication. The topology is simple, just two
hosts.
I am searching for the proper command(s) to make replication
functional again. This is what I see right now (replaced actual
fqdn's with host1 and host2).
On host1 and host2:
# ipa topologysegment-find domain --all
-----------------
1 segment matched
-----------------
dn: cn=host1-to-host2,cn=domain,cn=topology,cn=ipa,cn=etc,dc=ghs,dc=nl
Segment name: host1-to-host2
Left node: host1
Right node: host2
Connectivity: left-right
iparepltoposegmentstatus: autogen
objectclass: top, iparepltoposegment
----------------------------
Number of entries returned 1
----------------------------
On host1:
# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
Server host2 can't contact servers: host1
On host2:
# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
Server host2 can't contact servers: host1
In other words, the same error message on both hosts.
The command to connect (as described in almost every online doc) does not
work anymore.
On host2:
# ipa-replica-manage connect host1
Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.
On host1:
# ipa-replica-manage connect host2
Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.
OK. Try to re-initialize then
On host1:
# ipa topologysegment-reinitialize domain host1-to-host2 --right
-------------------------------------------------------------------------
Replication refresh for segment: "host1-to-host2" requested.
-------------------------------------------------------------------------
Hmm, ok. Now what? Replication refresh is requested, but what is the result?
TL;DR
Above I mentioned that I messed around with CERT's. I wanted to use Let's
Encrypt for a signed CERT on host2. After it was quite a struggle to install
the necessary PEM's here and there. It could very well be that I didn't follow
the correct procedures, but I can only say that I searched the web forth and
back for the correct commands.
So the key problem now is that host2 (with the new CERT) cannot connect to
host1 (with its original self-signed CERT).
How to debug this?
--
Kees
More information about the Freeipa-users
mailing list