Dear All,
Thanks to everyone for their help with this.
In summary the problem was an inconsistency between the certificate stored
in a file and in ldap, as described at the bottom of flo's blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
Once that was corrected certificates could then finally be renewed.
I also found some (not all) certificates on our other freeipa servers had
recently become stuck with Submitting status and had also expired. These
have now been renewed by again changing time back to when they were still
valid and resubmitting the renewal request.
However afterwards whilst checking the number of accounts with "ipa
user-find" on each freeipa server I found an inconsistency with one user
present on some but not all freeipa servers. Understandably triggering an
error when attempting to update that user on a server with the account
present:
Operations Error
Some operations failed.
Hide details
XXX: user not found
when I assume attempting to update the others.
Is there a good way to correct this and ensure consistency is fully
restored?
Thanks
Best wishes
Stuart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
