[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

Wed, 09 Sep 2020 07:02:20 -0700 

Dear flo,

Thanks for the update.


The IPA services are probably stopped. Can you try
# ipactl start --ignore-service-failures


That has I believe worked as desired and I can now kinit on the first server.

Cut and paste


        # ipactl start --ignore-service-failures
        Existing service file detected!
        Assuming stale, cleaning and proceeding
        Starting Directory Service
        Starting krb5kdc Service
        Starting kadmin Service
        Starting ipa_memcached Service
        Starting httpd Service
        Failed to start httpd Service
        Forced start, ignoring httpd Service, continuing normal operation
        Starting ipa-custodia Service
        Starting ntpd Service
        Starting pki-tomcatd Service
        ^Z
        [1]+  Stopped                 ipactl start --ignore-service-failures
        [root@freeipa01 sm]# bg
        [1]+ ipactl start --ignore-service-failures &

        [root@freeipa01 sm]# kinit sm
        Password for sm@OUR_DOMAIN
        [root@freeipa01 sm]# klist
        Ticket cache: KEYRING:persistent:0:0
        Default principal: sm@OUR_DOMAIN

        Valid starting     Expires            Service principal
        09/09/20 14:29:14  10/09/20 14:29:08  krbtgt/OUR_DOMAIN@OUR_DOMAIN

        Meanwhile in the background comes

        Failed to start pki-tomcatd Service
        Forced start, ignoring pki-tomcatd Service, continuing normal operation
        Starting ipa-otpd Service
        ipa: INFO: The ipactl command was successful

        [1]+  Done                    ipactl start --ignore-service-failures



# ldapsearch -H ldap://`hostname` -LLL -o ldif-wrap=no -D 'cn=Directory Manager' -W 
 '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn

This should return an entry dn which contains the name of the renewal
master, for instance:
dn: cn=CA,cn=hostname.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com


That does indeed return our first server 01 as I hoped.

        dn: cn=CA,cn=freeipa01... etc



Warning, if the replication got broken, the result may be different on
other servers. Make sure all the nodes have the same view of who is CA
renewal master.
I have checked on the other two production freeipa servers and all point to the first. 


Once you identify the CA renewal master, the repair procedure needs to
be applied on this node first.


Okay, so I think I need to book a repair slot as I assume our authentication
will fail during the time travel.

Thanks

Best wishes

Stuart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to