We have two replica servers sl1mmgplidm0001/2.
sl1mmgplidm0001 is functioning as CRL master and has no issues.
[root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: sl1mmgplidm0001
[root@sl1mmgplidm0001 ~]#
[root@sl1mmgplidm0001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0001 ~]#
sl1mmgplidm0002 is having an issue where pki-tomcat process would not start due to expired
cert. It has CA_UNREACHABLE error
[root@sl1mmgplidm0002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0002 ~]#
[root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200 Request ID
'20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://sl1mmgplidm0002:8443/ca/agent/ca/profileReview: Peer certificate cannot be
authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA
subject: CN=sl1mmgplidm0002,O=IPA
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
[root@sl1mmgplidm0002 ~]#
Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
Any thoughts?
Also considering to reinstall this replica since it is not CRL master.
Thanks,
Farhad Sayfiddin