Bug 1623549
Summary: | unable to renew Server-Cert certificates - error CA_UNREACHABLE | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | max_ter <massimo.terranova> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.7-Alt | CC: | abokovoy, frenaud, massimo.terranova, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-05 12:22:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
max_ter
2018-08-29 15:17:44 UTC
Could you please add /etc/sysconfig/certmonger OPTS=-d3 restart certmonger, wait a bit until certmonger settles down and provide output of journalctl -u certmonger --full for the time period since restart. Hello Alexander, We found and solved the issue: looking in ldap, in the entry cn=ipa,cn=cas,cn=ca,dc=my_site,dc=com we saw this attribute-value ipaCaId: 516f847a-ddc0-4da6-b15d-6703742b74be so, there should have been an entry like dn: cn=$ipacaid,ou=authorities,ou=ca,o=ipaca but looking under ou=authorities,ou=ca,o=ipaca, the entry had a different cn value. We aligned the first entry with the value of the entry in the ipaca part, and the problem was solved. Maybe this misalignment was due to a replication failure between the masters? Thank you. Max (In reply to Alexander Bokovoy from comment #2) > Could you please add > > /etc/sysconfig/certmonger > OPTS=-d3 > > restart certmonger, wait a bit until certmonger settles down and provide > output of > > journalctl -u certmonger --full > > for the time period since restart. Hello Alexander, We found and solved the issue: looking in ldap, in the entry cn=ipa,cn=cas,cn=ca,dc=my_site,dc=com we saw this attribute-value ipaCaId: 516f847a-ddc0-4da6-b15d-6703742b74be so, there should have been an entry like dn: cn=$ipacaid,ou=authorities,ou=ca,o=ipaca but looking under ou=authorities,ou=ca,o=ipaca, the entry had a different cn value. We aligned the first entry with the value of the entry in the ipaca part, and the problem was solved. Maybe this misalignment was due to a replication failure between the masters? Thank you. Max It is unlikely due to a replication failure (you'd then would have two different ipaCaId entries). Could you tell a bit more how these systems were installed? Rob, do you think the check for ipaCaId being correct in both cn=ipa,cn=cas,cn=ca,$SUFFIX and cn=$ipacaid,ou=authorities,ou=ca,o=ipaca would be useful for the new troubleshooting tool? If so, should we copy this bug to Pagure and close it here, since the original issue is solved by Max already. Yes, I do think it should be checked. It is part of the tool I started at https://github.com/rcritten/checkcerts So if existence in my tool, which I fully expect to be merged into something else eventually, is enough then I think we can close this BZ and track it in that upstream. The upstream ticket for health check tool is https://pagure.io/freeipa/issue/4008. The corresponding BZ is BZ 1152084. Closing this BZ as proposed in comments #c6 and #c7, as the customer issue has been solved and an upstream ticket+BZ is already tracking the check. *** This bug has been marked as a duplicate of bug 1152084 *** |