Robbie Harwood via FreeIPA-users wrote:
> Jonathan Kelley via FreeIPA-users <>
> writes:
>> I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my
>> primary. I found this guide "Promote CA to Renewal and CRL Master Procedure
>> in FreeIPA 4.0 or later
>> <>".
>> Server 1 failed in my case.
>> On server 2, I set enableCRLCache, enableCRLUpdates to false in
>> /etc/pki/pki-tomcat/ca/CS.cfg
>> I restarted  pki-tomcatd@pki-tomcat
>> I fixed the revokation rule in apache (enabled the rule)
>> I restarted httpd
>> Now the FreeIPA website says "Internal Server Error" and running kinit
>> admin "kinit: Client's credentials have been revoked while getting initial
>> credentials"
>> Before CA promotion the website and kinit seemed to be working fine on
>> server 2. Is kerberos or LDAP or Kerberos broken now? What steps were
>> missed to failover?
> Could you post some logs please?  I'm interested in Kerberos, but LDAP
> would be nice too.  Also `ipactl status`.

I was thinking that the credentials revocation is unrelated but yeah,
/var/log/httpd/error_log will tell you why that failed and if you want a
few minutes then kinit admin may start working again.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to