Thanks!

On Sun, Dec 22, 2019 at 11:13 AM Florence Blanc-Renaud <flo@redhat.com> wrote:

4. On the other replicas, check that the certificate has been properly
installed in the NSS database /etc/httpd/alias/ or in
/var/lib/ipa/ra-agent.pem.
If it's not the case, you can manually install the cert or call getcert
resubmit -i <ID of the tracking for RA agent>
Make sure that the request completed successfully with
$ getcert list -i <ID>
(the status must be: MONITORING)

The ID can be found with:
getcert list -f /var/lib/ipa/ra-agent.pem
or
getcert list -n ipaCert

So on my renewal master, this was the cert:

$ sudo getcert list -i 20180929065626
Number of certificates and requests being tracked: 9.
Request ID '20180929065626':

but on the broken replica:

$ sudo getcert resubmit -i 20180929065626
No request found with specified nickname.

However, copying the file over worked. Thanks!

Hopefully, this now will be googleable, although I'd humbly suggest that this could be documented somewhere? (and it would be brilliant if the ipa-healthcheck output pointed to it).

Cheers,

Álex

___

{~._.~}

( Y )

()~*~() mail: alex at corcoles dot net

(_)-(_) http://alex.corcoles.net/