We have several IPA servers, recently they got out of sync and in the
course of fixing things, I think we inadvertently revoked the CA.

When I try to get to ipa01 (the first one we built) in Firefox I get this

An error occurred during a connection to ipa01-reston.xco.qq. Peer's
Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE

I can login to 02 & 03 just fine. But when I try to administer anything
certificate related under the GUI I get this error:

IPA Error 4301: CertificateOperationError

Certificate operation cannot be completed: Unable to communicate with CMS
(Internal Server Error)


2016-09-23T18:53:54Z    7241    MainThread      ipa     INFO    Deleting
schedule 2358-2359 0 from agreement
cn=meToipa01,cn=replica,cn=dc\=xxx\,dc\=xx,cn=mapping tree,cn=config
2016-09-23T18:53:55Z    7241    MainThread      ipa     INFO    Replication
Update in progress: FALSE: status: -1 Incremental update has failed and
requires administrator actionLDAP error: Can't contact LDAP server: start:
0: end: 0
2016-09-27T18:23:10Z    30695   MainThread      ipa     INFO    Getting
ldap service principals for conversion:
(krbprincipalname=ldap/ipa01-...@xxx.xx) and

I'm thinking the cert is only revoked on 01, it should be replicated to
02-09. Is there any way to make sure that it doesn't fully replicate
revokation and bring it back to 01? If that's even the problem!

Thanks much,

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to