On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo <natxo.ase...@gmail.com>

> hi,
> In a test network I followed the procedure especified in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
> to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.
> Everything went fine, I shutdown the centos 6.7 host and i can kinit to
> the test realm like before with everything being handled by the centos 7.1
> ipa server.
> Unfortunately, firefox is not loading the web ui with the message:
> An error occurred during a connection to kdc2.unix.domain.tld. The OCSP
> server experienced an internal error. (Error code:
> sec_error_ocsp_server_error)
> Chrome works fine, it does not query the ocsp responder apparently. If I
> turn off the ocsp queries in firefox, everything works.
> So how can I troubleshoot this? I have turned off the firewall in the
> centos 7.1 hosts, selinux is permissive.

ok, so I found something:

 $ openssl s_client -connect kdc2.unix.domain.tld:443 | openssl x509 -noout
-text | grep -i ocsp
                OCSP - URI:http://kdc1.unix.domain.tld:80/ca/ocsp

so it's pointing to the centos 6.7 box, and that one is gone. That's why
it's not working.

Shouldn't the certificates be modified or recreated when decommissioning
replicas? I must have done something wrong when decommissioning the server

Anyway, I created an A record for kdc1 pointing to kdc2 and now it's
working, but I wonder if this is the 'right' approach.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to