Jeff Goddard via FreeIPA-users wrote:
Hello everyone and thanks for providing the FreeIPA platform.
I've got a situation where I have 4 FreeIPA peer servers, with 2 of them
being CAs with replication configured. These are split into 2 physical
locations with 1 CA per site. I was testing renewal of the
"nickname='subsystemCert cert-pki-ca" certificate in one of my sites by
issuing ipa-getcert resubmit -i [cert ID#]. Now this certificate seems
to be stuck with a status of CA_Working. Since its been over 4 hours
sinceĀ I submitted the request I'm wondering if something went wrong and
where I can begin looking to troubleshoot. I tried running
ipa-certupdate to sync from the other CA master and it completed
successfully. The original certificate was not expired and other than
the "CA Working" status there are no apparent problems. The server is
version 4.6.4 running on Centos 7.4. Do I have reason to be concerned or
is this expected behavior?
Only the CA renewal master actually renews certificates. I'm going to
assume this particular host is not that which means it is waiting for
some other host to do the renewal and stuff the updated certificate into
a location in LDAP which this will eventually pick up and install.
rob