Robbie Harwood via FreeIPA-users wrote: > Jonathan Kelley via FreeIPA-users <firstname.lastname@example.org> > writes: > >> I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my >> primary. I found this guide "Promote CA to Renewal and CRL Master Procedure >> in FreeIPA 4.0 or later >> <https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>". >> >> Server 1 failed in my case. >> >> On server 2, I set enableCRLCache, enableCRLUpdates to false in >> /etc/pki/pki-tomcat/ca/CS.cfg >> >> I restarted pki-tomcatd@pki-tomcat >> >> I fixed the revokation rule in apache (enabled the rule) >> >> I restarted httpd >> >> Now the FreeIPA website says "Internal Server Error" and running kinit >> admin "kinit: Client's credentials have been revoked while getting initial >> credentials" >> >> >> Before CA promotion the website and kinit seemed to be working fine on >> server 2. Is kerberos or LDAP or Kerberos broken now? What steps were >> missed to failover? > > Could you post some logs please? I'm interested in Kerberos, but LDAP > would be nice too. Also `ipactl status`.
I was thinking that the credentials revocation is unrelated but yeah, /var/log/httpd/error_log will tell you why that failed and if you want a few minutes then kinit admin may start working again. rob _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org