On 08/01/2017 03:11 PM, Mark Haney via FreeIPA-users wrote:
On 08/01/2017 03:26 AM, Florence Blanc-Renaud wrote:

another user hit the same problem as you (ipa-replica-install --setup-ca fails during pkispawn and the PKI debug log shows an error related to updateNumberRange). He managed to workaround the issue by un-enrolling the failing replica and revoking all the certificates that were created during replica setup attempts (you can find the mail thread here [1]).

I still don't know what is the root cause of the issue or why the workaround succeeded, but it's worth giving it a try.


[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TJGJZANRCIYTGXCUEAZ3XLISNEO7QOIN/#A54XHWAG4Z6BVX62YRUQXYO5QKW4OXAZ

The logs do look similar to me, so I can give this a shot, what I don't know is how to revoke all the certificates on the replica server (at least I'm assuming it's the replica getting the revokations.


you can connect to IPA web UI on the server to revoke the cert: https://server.ipadomain.com/ipa/ui, then navigate to Authentication > Certificates, click on the certificate corresponding to the replica which failed installation (CN=<replica>,o=DOM...) and then Actions > Revoke Certificate (superseded).

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to