Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
>> Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
>> writes:
>>
>>> Done, ipactl status report everything running,
>>
>> That's not correct, see below.
>>
>>> but certificates don't renew.
>>> Looking at certmonger (in debug mod) I can see:
>>>
>>> "Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed
>>> request, will retry: 4035 (RPC failed at server.  Request failed with
>>> status 500: Non-2xx response from CA REST API: 500. ).
>>
>> internal error from apache
>>
>>> Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed
>>> request, will retry: -504 (libcurl failed to execute the HTTP POST
>>> transaction, explaining:  Failed connect to
>>> idc02.linux.unicloudidattica.local:443; Connection refused).
>>
>> no apache running
>
> I don't think so. HTTP 500 doesn't mean apache is not running, but an
> internal server error.
> Indeed I can reach the administration web ui. Login fails due to time
> skew, but apache is fully responsive.

Have a look again: Host idc01 delivers 500 - internal error. Host idc02
has no apache running ("connection refused").

> Apache return 500 when something behind the scene fails (maybe the
> pki-tomcat part, following a post to api).

Yes, try fixing idc01 - most probably dogtag/pki-tomcat there.

Jochen

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to