Jonathan Kelley via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my
> primary. I found this guide "Promote CA to Renewal and CRL Master Procedure
> in FreeIPA 4.0 or later
> <https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>".
>
> Server 1 failed in my case.
>
> On server 2, I set enableCRLCache, enableCRLUpdates to false in
> /etc/pki/pki-tomcat/ca/CS.cfg
>
> I restarted  pki-tomcatd@pki-tomcat
>
> I fixed the revokation rule in apache (enabled the rule)
>
> I restarted httpd
>
> Now the FreeIPA website says "Internal Server Error" and running kinit
> admin "kinit: Client's credentials have been revoked while getting initial
> credentials"
>
>
> Before CA promotion the website and kinit seemed to be working fine on
> server 2. Is kerberos or LDAP or Kerberos broken now? What steps were
> missed to failover?

Could you post some logs please?  I'm interested in Kerberos, but LDAP
would be nice too.  Also `ipactl status`.

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to