Evan G via FreeIPA-users wrote: > Good afternoon. > > We currently have FreeIPA v4.6.8 running on CentOS7. We have tried many of > the solutions posted on this mailer however none have helped us bring the > environment back online. Our current situation is as follows: > > - We have a single master / single CA with a total of 4 FreeIPA (2 in each > site) servers in production.
ipa config-show will tell you which one is the renewal master. All renewals need to start there. > - Replication is not working between the master and secondaries. Are all certs expired or just some? `getcert list` will tell us. > - The FreeIPA admin account password is working and we are able to kinit as > admin > - We can bring the IPA services online by rolling the clock back to before > the HTTP cert expired, however the CA refuses to sign any of our cert > requests -- giving a Kerberos authentication error when CURL'd I'm not sure what you are using CURL for. > - We are able to login to the HTTP interface with the services up and date > rolled back, however we are unable to issue a new cert, we receive a 500 > error in reaching the CA > > Happy to provide any other requested info but we've been troubleshooting this > for 3 days straight and we're coming up empty on every avenue. You'll want to look at /var/log/pki/pki-tomcat/ca debug after a start. Read from the top down looking for start-up errors. Reading from the bottom up from the log usually leads to red herrings. There is also a selfsign.log near that directory and it will tell you if start-up failed due to inconsistencies. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
