Fraser,
My thanks to both Rob and you for responding. When I check the status of
the certificate today I see that is is back in the "monitoring" state but
it has not changed the expiration date and there is a ca-error: ca-error:
Invalid cookie: u''. To confirm, the CA I'm working with is not the renewal
master. When I check the renewal master for the same certificate, I see a
different expiration date and no errors. Running the command ipa-replica-manage
list on both servers show the full set of 4 masters and no errors. Can
someone provide insight on why the non-renewal master has a bad date for
this certificate and if its related to the above error, how to rectify the
situation?
Thanks,
Jeff
On Tue, Mar 26, 2019 at 6:17 AM Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Mon, Mar 25, 2019 at 01:37:00PM -0400, Rob Crittenden via
FreeIPA-users
wrote:
> Jeff Goddard via FreeIPA-users wrote:
> > Hello everyone and thanks for providing the FreeIPA platform.
> >
> > I've got a situation where I have 4 FreeIPA peer servers, with 2 of
them
> > being CAs with replication configured. These are split into 2 physical
> > locations with 1 CA per site. I was testing renewal of the
> > "nickname='subsystemCert cert-pki-ca" certificate in one of my
sites by
> > issuing ipa-getcert resubmit -i [cert ID#]. Now this certificate seems
> > to be stuck with a status of CA_Working. Since its been over 4 hours
> > since I submitted the request I'm wondering if something went wrong and
> > where I can begin looking to troubleshoot. I tried running
> > ipa-certupdate to sync from the other CA master and it completed
> > successfully. The original certificate was not expired and other than
> > the "CA Working" status there are no apparent problems. The server
is
> > version 4.6.4 running on Centos 7.4. Do I have reason to be concerned
or
> > is this expected behavior?
>
> Only the CA renewal master actually renews certificates. I'm going to
assume
> this particular host is not that which means it is waiting for some other
> host to do the renewal and stuff the updated certificate into a location
in
> LDAP which this will eventually pick up and install.
>
As long as replication is working properly ;)
Also just to clarify: each CA server will renew host-specific
certificates on its own (HTTPS, LDAPS and KDC certificates). But
shared certificates (Dogtag system certs and IPA RA) are only
renewed on the renewal master.
Cheers,
Fraser