David Harvey via FreeIPA-users wrote:
Dear ipa-users,
I've recently observed a pattern where adding a host certificate to a host only shows the association in the GUI for the server which issues the cert. I'm running FreeIPA 4.4.4.
I request a certificate from the host(s) in question with something like:
ipa-getcert request -f /path -k /path -r
All IPA servers show the cert as being issued and valid on the certificates page. Visiting the "https://myserver/ipa/ui/#/e/host/details/hostame.fqdn shows a host certificate from the machine that issued the cert Visiting the same host page from other ipa servers does not show the host cert associated. Users and hosts continue to synchronise, as do other cert details!
I can manually associate the host to cert on other servers using the "add" button in the Host certifcate section of the host page, but this feels wrong. Any ideas on how to troubleshoot this? It feels like the CAs don't quite get which one is in charge, and could be a result of me tearing down the original ubuntu based ones to replace with fedora, or a mistake I have made whilst doing so.
I'd still check for replication issues.
Are you sure the host entries in LDAP are the same between the different masters?
Can you look in /var/log/httpd/error_log to see if anything is being logged when the certificate is not showing?
rob