Robbie Harwood via FreeIPA-users wrote:
> Jonathan Kelley via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
> 
>> I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my
>> primary. I found this guide "Promote CA to Renewal and CRL Master Procedure
>> in FreeIPA 4.0 or later
>> <https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>".
>>
>> Server 1 failed in my case.
>>
>> On server 2, I set enableCRLCache, enableCRLUpdates to false in
>> /etc/pki/pki-tomcat/ca/CS.cfg
>>
>> I restarted  pki-tomcatd@pki-tomcat
>>
>> I fixed the revokation rule in apache (enabled the rule)
>>
>> I restarted httpd
>>
>> Now the FreeIPA website says "Internal Server Error" and running kinit
>> admin "kinit: Client's credentials have been revoked while getting initial
>> credentials"
>>
>>
>> Before CA promotion the website and kinit seemed to be working fine on
>> server 2. Is kerberos or LDAP or Kerberos broken now? What steps were
>> missed to failover?
> 
> Could you post some logs please?  I'm interested in Kerberos, but LDAP
> would be nice too.  Also `ipactl status`.

I was thinking that the credentials revocation is unrelated but yeah,
/var/log/httpd/error_log will tell you why that failed and if you want a
few minutes then kinit admin may start working again.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to