A user has 3 CAs. None of them is configured to do CA renewal. They are all configured to pull updated certificates from LDAP using the certmonger renew_ra_cert CA. It is unclear how it got into this situation. It could be the original master was deleted, or this was the result of some upgrade, but none of the masters is configured to do the actual subsystem renewal. The result was the renewal status was CA_WORKING on all systems.

The user is using IPA 3.0 on RHEL 6.4, so this is a dual 389-ds install.

Fixing this was a relatively straightforward process to pick one to do the renewal, tell certmonger to stop tracking the CA subsystem certificates and then configure certmonger to renew the certificates (it is a difference in the CA script that certmonger users).

So this is problem #1: provide documentation on how to recover from this situation.

This worked ok and all 4 of the required certificates were renewed, but something strange happened.

Only one certificate was added to LDAP, the RA agent cert ipaCert. We never did figure out why.

This is problem #2: see how it can happen that a certificate is renewed and not added to LDAP.

Replication was firing as we saw the ipaCert entry in cn=ca_renewal on all masters and the ou=People entry in the CA DS instance was replicated ok as well. So in short, replication was working in both instances.

To fix this we manually pulled the updated certificates out of the various databases using certutil -L -d /path/to/db -n <nickname> -a. Then we moved the certificates to the non-updated masters and manually added them to their respective database. Note that certutil will pull ALL the certificates out of an NSS database if there is more than one certificate, such as the case for a renewal. This is fine, but it also will only ADD one certificate via certutil -A which means you'll need to edit each file such that only the latest certificate is stored there.

We had to do this for the 3 CA certificates (ocsp, audit, subsystem) in /var/lib/<location>/alias (location is distro-specific) and the ipaCert RA agent certificate in /etc/httpd/alias.