Jonathan Kelley via FreeIPA-users <>

> I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my
> primary. I found this guide "Promote CA to Renewal and CRL Master Procedure
> in FreeIPA 4.0 or later
> <>".
> Server 1 failed in my case.
> On server 2, I set enableCRLCache, enableCRLUpdates to false in
> /etc/pki/pki-tomcat/ca/CS.cfg
> I restarted  pki-tomcatd@pki-tomcat
> I fixed the revokation rule in apache (enabled the rule)
> I restarted httpd
> Now the FreeIPA website says "Internal Server Error" and running kinit
> admin "kinit: Client's credentials have been revoked while getting initial
> credentials"
> Before CA promotion the website and kinit seemed to be working fine on
> server 2. Is kerberos or LDAP or Kerberos broken now? What steps were
> missed to failover?

Could you post some logs please?  I'm interested in Kerberos, but LDAP
would be nice too.  Also `ipactl status`.


Attachment: signature.asc
Description: PGP signature

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to