Hi,

on the ipa.dom.loc server, the following certs are expired:

auditSigningCert cert-pki-ca (2024-12-01)
ocspSigningCert cert-pki-ca (2024-12-01)
subsystemCert cert-pki-ca (2024-12-01)
ipaCert (2024-12-01)
Server-Cert cert-pki-ca (2024-12-01)

on the ipa2.dom.loc server, the following certs are expired:

auditSigningCert cert-pki-ca (2024-11-19)
ocspSigningCert cert-pki-ca (2024-11-19)
subsystemCert cert-pki-ca (2024-11-19)
ipaCert (2024-11-19)

If both masters are part of the same topology, there clearly is an issue as the certs (except Server-Cert cert-pki-ca) should be identical on both machines.

Are they replicating to each other?

You need to find the CA renewal master:

# kinit admin

# ipa config-show

Then start by repairing this server. You can follow https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline

HTH,

flo

On Mon, Dec 9, 2024 at 6:25 AM Dmitry Krasov via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hello Rob.
is there enough information?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue