Christof Schulze wrote: > Hello all, > > i am running a FreeIPA server on CentOS for 2 years now with mostly > Ubuntu 12.04 and some Fedora 20 clients. > > Since one week (or more) it is not possible any more to install new > clients (whether ubuntu nor fedora). The Host gets created on the > IPA-server but it can not create/exchange a Host-Certificate. > > The only thing happened (except regular updates) was a complete > certificate renewal with no obvious problems some weeks ago. > > Web-interface and certmonger show the same error. > > ipa-getcert list on the new Hosts: > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: FAILURE (Invalid > Request)). > stuck: yes
Given the timeline I'd guess that your CA subsystem certificates have expired. On the IPA master run: getcert list (not ipa-getcert) This will show the current status of things. What version of IPA is this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
