Bug 1385816 - ipa-cacert-manage renew on replica fails
Summary: ipa-cacert-manage renew on replica fails
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
Depends On:
TreeView+ depends on / blocked
Reported: 2016-10-17 18:07 UTC by Xiyang Dong
Modified: 2017-08-01 09:42 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:42:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Xiyang Dong 2016-10-17 18:07:05 UTC
Description of problem:
ipa-cacert-manage renew on replica fails

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Install IPA Master/Replica
2.ipa-cacert-manage renew on Replica

Actual results:
Renew CA Cert on Replica fails

Expected results:
Renew CA Cert on Replica succeeds

Additional info:
On replica:
[root@bkr-hv03-guest43 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20161017145558', please check the request manually

After manually resubmitting the request , it works:
[root@bkr-hv03-guest43 ~]# ipa-getcert resubmit -i 20161017145558
Resubmitting "20161017145558" to "dogtag-ipa-ca-renew-agent".
[root@bkr-hv03-guest43 ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w $ROOTDNPWD -b cn=CA,cn=$REPLICA,cn=masters,cn=ipa,cn=etc,$BASEDN | grep caRenewalMaster
ipaConfigString: caRenewalMaster

Comment 2 Petr Vobornik 2016-10-18 10:36:30 UTC
could you attach system log(certmonger logs there) for the first attempt?

Comment 8 Petr Vobornik 2016-11-04 13:44:37 UTC
Upstream ticket:

Comment 9 Petr Vobornik 2017-03-27 15:09:14 UTC
Should be fixed by patch: https://pagure.io/freeipa/c/052de43

Already part of RHEL 7.4 - went there with rebase.

Comment 11 Michal Reznik 2017-05-29 13:56:22 UTC
Verified on:


[root@master ~]# getenforce

[root@replica1 ~]# getenforce

1. Install ipa-server

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder -U
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@master ~]# 

2. Install ipa-replica

[root@replica1 ~]# ipa-replica-install -U -P admin -w XXX --server master.testrelm.test -n testrelm.test --setup-ca
  [26/27]: enabling CA instance
  [27/27]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Restarting the KDC

3. Run ipa-cacert-manage renew

[root@replica1 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
[root@replica1 ~]#

Comment 12 errata-xmlrpc 2017-08-01 09:42:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.