Jan Bundesmann via FreeIPA-users wrote: > (Last mail wasn't sent to mailing list - bad settings of my mail client, > sorry for that). > > So, replication is working and there is indeed a new certificate for IPA RA. > Can this be from the renewal cycle on ldap1.
Yes. Only one server does the renewal through the CA, the so-called CA Renewal Master. The result of the renewal is put into LDAP to be shared with the other IPA servers. It sounds like this happened as expected. > But isn't this some kind of chicken-egg-problem now? Apparently ldap2 cannot > talk to the CA and as a consequence I cannot query certificate contents on > ldap2. getcert resubmit puts me back in the status of CA_WORKING. It's not because communication with the CA is not necessary in order to retrieve the updated certificate as it is stored within the IPA LDAP tree. > Would adding it manually to the database in /etc/httpd/alias work? Or can I > put in some other place to make the "dogtag-ipa-ca-renew-agent" aware of the > new certificate? It's possible sure. I'd also suggest checking the journal for certmonger messages to perhaps get a better idea of what is going on. The 389-ds access log will show you whether certmonger is searching for the updated cert. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
