FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |

#3179 ca renewal script failed to contact directory server

Created 4 years ago by spoore
Modified a month ago

I am testing CA Renewal using this:

I'm seeing a failure:

[root@f18-1 ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)

in /var/log/messages:
Sep 30 10:28:28 f18-1 systemd[1]: Started 389 Directory Server TESTRELM-COM..
Sep 30 10:28:28 f18-1 systemd[1]: Started 389 Directory Server PKI-IPA..
Sep 30 10:28:28 f18-1 renew_ra_cert: Updating agent entry failed: Can't contact LDAP server:
Sep 30 10:28:29 f18-1 renew_ca_cert: Updating renewal certificate failed: Error initializing principal host/ in /etc/krb5.keytab: (-1765328324, 'Generic error (see e-text)')

As far as I can tell what happened is the ipaCert (the agent cert) was renewed successfully but we weren't able to bind to the dogtag LDAP instance to update the ou=People entry with the new certificate.

The description of the uid=ipara user still referenced the old serial number.

I was able to reproduce this by killing the PKI-IPA instance during the renewal.

The script can be re-run now but it isn't clear that you can do that. We should do two things:

- Have the script loop and try the server a few times in the hopes it will be back up soon.
- If we can't perform an update then notify that the script can be safely re-run

I'm not sure whether I want to try to start the service or simply wait for it to come back up.

a month ago

Metadata Update from @spoore:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)

Login to comment on this ticket.