hi,

I followed the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

and now after some issues I have a replica with both pki and dns data
running centos 7.

So now I have 3 replicas:

centos 6.8:
kdc01.unix.iriszorg.nl
kdc02.unix.iriszorg.nl

centos 7.2
kdc03.unix.iriszorg.nl

The replica was created with an agreement to kdc01.unix.iriszorg.nl which
was the master for crl updates. I followed the steps to disabled crlcache
and crlupdates on the kdc01 and to enable them on the kdc03.

So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and
uncommented

# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]

and on the kdc03 i commented this out:

# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]


When I try to resubmit certificates from certmonger they still hit the
kdc01 web server, so the requests hang on an status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).


Which was the problem on a recent thread on the list (trying to get rid of
this replica now to fix this problem as well).

So something is not redirecting properly and I would appreciate your
assistance.

TIA.
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to