I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my
primary. I found this guide "Promote CA to Renewal and CRL Master Procedure
in FreeIPA 4.0 or later
<https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>".

Server 1 failed in my case.

On server 2, I set enableCRLCache, enableCRLUpdates to false in
/etc/pki/pki-tomcat/ca/CS.cfg

I restarted  pki-tomcatd@pki-tomcat

I fixed the revokation rule in apache (enabled the rule)

I restarted httpd

Now the FreeIPA website says "Internal Server Error" and running kinit
admin "kinit: Client's credentials have been revoked while getting initial
credentials"


Before CA promotion the website and kinit seemed to be working fine on
server 2. Is kerberos or LDAP or Kerberos broken now? What steps were
missed to failover?

-- 
 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error, please notify the system manager. 
Please note that any views or opinions presented in this email are solely 
those of the author and do not necessarily represent those of the company. 
Finally, the recipient should check this email and any attachments for the 
presence of viruses. The company accepts no liability for any damage caused 
by any virus transmitted by this email.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to