On 06/25/2018 01:59 PM, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
The node 1 is the Renewal Master
--
ldapsearch -D cn=directory\ manager -W -LLL -b cn=masters,cn=ipa,cn=etc,BASEDN
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
Enter LDAP Password:
dn: cn=CA,cn=<<ipa1.fqdn>>,cn=masters,cn=ipa,cn=etc,BASEDN
--
OK, so we know that your host node1 is the renewal master and it has 4
expired certificates. What is the full output of getcert list?
The journal will show why it was not able to renew them:
# journalctl -u certmonger
Can you also provide the version of FreeIPA you are using, and the one
you had before the upgrade? (can be found in /var/log/ipaupgrade.log
with the string "IPA version 4.xx", this file keeps the whole upgrade
history).
Flo
Eemeli
-----Original Message-----
From: Florence Blanc-Renaud [mailto:flo@redhat.com]
Sent: maanantai 25. kesäkuuta 2018 12.53
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Jokinen Eemeli <Eemeli.Jokinen(a)cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
On 06/25/2018 07:48 AM, Jokinen Eemeli via FreeIPA-users wrote:
> Hi!
>
> gssproxy up and running
>
> --
> systemctl status gssproxy
> ● gssproxy.service - GSSAPI Proxy Daemon
> Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor
preset: disabled)
> Active: active (running) since Fri 2018-06-15 12:58:24 EEST; 1 weeks 2 days ago
> Process: 3807 ExecStart=/usr/sbin/gssproxy -D (code=exited,
> status=0/SUCCESS)
> --
>
> Also seems like there's some default configuration of gssproxy, no ipa.conf
(googling said that there should probably be also ipa.conf?).
>
> --
> ls /etc/gssproxy/
> 24-nfs-server.conf 99-nfs-client.conf gssproxy.conf
> --
>
Hi,
you are indeed missing the file /etc/gssproxy/10-ipa.conf, and this file should be
created during ipa-server-upgrade, but after the step restarting pki-tomcat.
So let's go back to our initial goal: finding which master is the renewal master. You
can use a ldapsearch query to find out the renewal
master:
# ldapsearch -D cn=directory\ manager -W -LLL -b cn=masters,cn=ipa,cn=etc,$BASEDN
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn Enter LDAP Password:
dn: cn=CA,cn=myrenewalmaster.domain.com,cn=masters,cn=ipa,cn=etc,$BASEDN
(replace BASEDN with your own setting that can be found in
/etc/ipa/default.conf)
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...