Robbie Harwood via FreeIPA-users wrote:
> Jonathan Kelley via FreeIPA-users <firstname.lastname@example.org>
>> I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my
>> primary. I found this guide "Promote CA to Renewal and CRL Master Procedure
>> in FreeIPA 4.0 or later
>> Server 1 failed in my case.
>> On server 2, I set enableCRLCache, enableCRLUpdates to false in
>> I restarted pki-tomcatd@pki-tomcat
>> I fixed the revokation rule in apache (enabled the rule)
>> I restarted httpd
>> Now the FreeIPA website says "Internal Server Error" and running kinit
>> admin "kinit: Client's credentials have been revoked while getting initial
>> Before CA promotion the website and kinit seemed to be working fine on
>> server 2. Is kerberos or LDAP or Kerberos broken now? What steps were
>> missed to failover?
> Could you post some logs please? I'm interested in Kerberos, but LDAP
> would be nice too. Also `ipactl status`.
I was thinking that the credentials revocation is unrelated but yeah,
/var/log/httpd/error_log will tell you why that failed and if you want a
few minutes then kinit admin may start working again.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org