<html><head></head><body>Sure thing! I'll send them to you in private. Regards Siggi <div class="gmail_quote">Dmitri Pal <dpal@redhat.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class="k9mail">On 01/31/2014 10:00 AM, Sigbjorn Lie wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">On Fri, January 17, 2014 16:37, Rob Crittenden wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Sigbjorn Lie wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;">This worked better than expected. Thank you! :) ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays any certificates out of date, and all certificates in need of renewal within 28 days has been renewed. The webui also started working again and things seem to be back to normal. ipa03 however is still having issues. I could not renew any certificates on this server to begin with, but I managed to r! enew the certificates for the directory servers by changing the xmlrpc url to another ipa server in /etc/ipa/default.conf and resubmitting these requests. "getcert resubmit -i <request-id" says SUBMITTING and the fails with NEED_GUIDANCE after a short while for the certificates for the PKI service. /var/log/messages says: "certmonger: #033[?1034h28800" and "python: Updated certificate for ipaCert not available". There is a lot of information in the /var/log/pki-ca/debug, but nothing that I can easily distinguish as an error from all the other output. Anything in particular I should look for? </blockquote>Ok, so this is a bug in IPA related to python readline. Garbage is getting inserted and causing bad things to happen, <a href="https://fedorahosted.org/freeipa/ticket/4064">https://fedorahosted.org/freeipa/ticket/4064</a> So the question is, are the certs available or not. <! br />A number of the same certificates are shared amongst all the CAs. One does the renewal and stuffs the result into cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs refer to that location for an updated cert and will load them if they are updated. Look to see if the certs are updated there. Given that you have 2 working masters I'm assuming that is the case, so it may just be a matter of fixing the python.</blockquote> I could not get anywhere even after manually patching the python script as mentioned in the ticket you provided. I ended up removing and re-adding the replica during a maintenance window. For future reference, what I did was to remove the replica as per the Identity Management Guide on <a href="http://docs.redhat.com">docs.redhat.com</a>. I then re-created the replica installation file and installed the replica. At this point Certmonger managed to retrieve new certificates for the expired certificates, but it kept segfaulting when it attempted to save the certificate to disk. I restarted certmonger a few times, but certmonger just ended up segfaulting over and over. I decided to block the ipa server off the network and change the date back to before the certs expired. After the date was changed I restarted certmonger. Certmonger managed to save the certs successfully this time and a "getcert list" now displays only certificates with an expire date of 2015 or 2016 and a status of MONTORING. I changed the date back to correct date and time and removed the iptables rules. The replica now works just fine. Thank you for your assistance.</blockquote> Can you give us some core dumps from certmonger to see why it is crashing. We would like to fix crash bugs if we them. <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Regards, Siggi <hr /> Freeipa-users mailing list Freeipa-users@redhat.com <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></blockquote> </pre></blockquote></div> -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.</body></html>