hi,
sorry for the delay, priorities shifted a bit.
Let's see, the serial # and validity of the cert in the kdc with problems:
- note the serial ID of the cert, its subject and issuer:
[root@kdc2 ~]# openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=SUB.DOMAIN.TLD, CN=Certificate Authority
Validity
Not Before: Dec 15 13:58:44 2017 GMT
Not After : Dec 5 13:58:44 2019 GMT
Subject: O=SUB.DOMAIN.TLD, CN=IPA RA
So it looks like this did not get renewed
# ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca
Enter LDAP Password:
<snip>
dn: uid=ipara,ou=people,o=ipaca
description: 2;80;CN=Certificate Authority,O=SUB.DOMAIN.TLD;CN=IPA
RA,O=SUB.DOMAIN.TLD
IT
cn: ipara
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
userCertificate:: <snip>
userCertificate:: <snip>
userstate: 1
usertype: agentType
sn: ipara
uid: ipara
So I have two userCertificates, the first one is the one in the file system
on the broken kdc in /var/lib/ipa/ra-agent.pem.
The second one is the one in the working kdc.
The serial number is the one on the certificate on the working kdc, which
was renewed on Nov 8th succesfully.
So do I need to copy the ra-agent.pem and key from the working kdc to the
broken kdc?
--
Groeten,
natxo