Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

Done, ipactl status report everything running,

That's not correct, see below.

but certificates don't renew.
Looking at certmonger (in debug mod) I can see:

"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed
request, will retry: 4035 (RPC failed at server.  Request failed with
status 500: Non-2xx response from CA REST API: 500. ).

internal error from apache

Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining:  Failed connect to
idc02.linux.unicloudidattica.local:443; Connection refused).

no apache running

I don't think so. HTTP 500 doesn't mean apache is not running, but an internal server error. Indeed I can reach the administration web ui. Login fails due to time skew, but apache is fully responsive.

Apache return 500 when something behind the scene fails (maybe the pki-tomcat part, following a post to api).



Have I to try to remove/re-add monitoring from certmonger for service
certificates?

No - try to find out the errors above. Leave certmonger alone until you
fixed apache/dogtag.

Jochen


--
Giulio Casella                                     giulio at di.unimi.it
System and network architect
Computer Science Dept. - University of Milano
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to