On 09/21/2016 10:50 AM, Natxo Asenjo wrote: > hi, > > I followed the instructions here: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > and now after some issues I have a replica with both pki and dns data running > centos 7. > > So now I have 3 replicas: > > centos 6.8: > kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl> > kdc02.unix.iriszorg.nl <http://kdc02.unix.iriszorg.nl> > > centos 7.2 > kdc03.unix.iriszorg.nl <http://kdc03.unix.iriszorg.nl> > > The replica was created with an agreement to kdc01.unix.iriszorg.nl > <http://kdc01.unix.iriszorg.nl> which was the master for crl updates. I > followed > the steps to disabled crlcache and crlupdates on the kdc01 and to enable them > on > the kdc03. > > So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and uncommented > > # Only enable this on servers that are not generating a CRL > RewriteRule ^/ipa/crl/MasterCRL.bin > https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL > > [L,R=301,NC] > > and on the kdc03 i commented this out: > > # Only enable this on servers that are not generating a CRL > #RewriteRule ^/ipa/crl/MasterCRL.bin > https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL > > [L,R=301,NC] > > > When I try to resubmit certificates from certmonger they still hit the kdc01 > web > server, so the requests hang on an status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at server. > > Certificate operation cannot be completed: Failure decoding Certificate > Signing > Request).
Where does it happen? On arbitrary client which was installed in a past against the removed kdc01? If so could you look into /etc/ipa/default.conf and change host option from kdc01 to the 7.2 IPA sever? If this is correct then IMO it is quite a serious bug which needs to be fixed (i.e. DNS discovery needs to be used). > > > Which was the problem on a recent thread on the list (trying to get rid of > this > replica now to fix this problem as well). > > So something is not redirecting properly and I would appreciate your > assistance. > > TIA. > -- > Groeten, > natxo > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project