I am testing CA Renewal using this:
I'm seeing a failure:
[root@f18-1 ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
Sep 30 10:28:28 f18-1 systemd: Started 389 Directory Server TESTRELM-COM..
Sep 30 10:28:28 f18-1 systemd: Started 389 Directory Server PKI-IPA..
Sep 30 10:28:28 f18-1 renew_ra_cert: Updating agent entry failed: Can't contact LDAP server:
Sep 30 10:28:29 f18-1 renew_ca_cert: Updating renewal certificate failed: Error initializing principal host/f18-1.testrelm.com@TESTRELM.COM in /etc/krb5.keytab: (-1765328324, 'Generic error (see e-text)')
As far as I can tell what happened is the ipaCert (the agent cert) was renewed successfully but we weren't able to bind to the dogtag LDAP instance to update the ou=People entry with the new certificate.
The description of the uid=ipara user still referenced the old serial number.
I was able to reproduce this by killing the PKI-IPA instance during the renewal.
The script can be re-run now but it isn't clear that you can do that. We should do two things:
- Have the script loop and try the server a few times in the hopes it will be back up soon.
- If we can't perform an update then notify that the script can be safely re-run
I'm not sure whether I want to try to start the service or simply wait for it to come back up.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=869663
Metadata Update from @spoore:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
to comment on this ticket.