On Mon, Mar 25, 2019 at 01:37:00PM -0400, Rob Crittenden via FreeIPA-users wrote:
Jeff Goddard via FreeIPA-users wrote:
> Hello everyone and thanks for providing the FreeIPA platform.
>
> I've got a situation where I have 4 FreeIPA peer servers, with 2 of them
> being CAs with replication configured. These are split into 2 physical
> locations with 1 CA per site. I was testing renewal of the
> "nickname='subsystemCert cert-pki-ca" certificate in one of my sites
by
> issuing ipa-getcert resubmit -i [cert ID#]. Now this certificate seems
> to be stuck with a status of CA_Working. Since its been over 4 hours
> sinceĀ I submitted the request I'm wondering if something went wrong and
> where I can begin looking to troubleshoot. I tried running
> ipa-certupdate to sync from the other CA master and it completed
> successfully. The original certificate was not expired and other than
> the "CA Working" status there are no apparent problems. The server is
> version 4.6.4 running on Centos 7.4. Do I have reason to be concerned or
> is this expected behavior?
Only the CA renewal master actually renews certificates. I'm going to assume
this particular host is not that which means it is waiting for some other
host to do the renewal and stuff the updated certificate into a location in
LDAP which this will eventually pick up and install.
As long as replication is working properly ;)
Also just to clarify: each CA server will renew host-specific
certificates on its own (HTTPS, LDAPS and KDC certificates). But
shared certificates (Dogtag system certs and IPA RA) are only
renewed on the renewal master.
Cheers,
Fraser