On 9/17/20 10:12 PM, Stuart McRobert via FreeIPA-users wrote:
Dear All,
Thanks to everyone for their help with this.
In summary the problem was an inconsistency between the certificate
stored in a file and in ldap, as described at the bottom of flo's blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
Once that was corrected certificates could then finally be renewed.
I also found some (not all) certificates on our other freeipa servers
had recently become stuck with Submitting status and had also expired.
These have now been renewed by again changing time back to when they
were still valid and resubmitting the renewal request.
However afterwards whilst checking the number of accounts with "ipa
user-find" on each freeipa server I found an inconsistency with one user
present on some but not all freeipa servers. Understandably triggering
an error when attempting to update that user on a server with the
account present:
Operations Error
Some operations failed.
Hide details
XXX: user not found
when I assume attempting to update the others.
Is there a good way to correct this and ensure consistency is fully
restored?
Hi,
I would start with this wiki:
https://www.freeipa.org/page/Troubleshooting/Directory_Server
You need to check if the replication is halted or if it is a replication
conflict. Depending on the conclusion:
- solving common replication conflicts:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication-solving_common_replication_conflicts
or
- troubleshooting replication-related problems:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication-troubleshooting_replication_related_problems
HTH,
flo
Thanks
Best wishes
Stuart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
