Mike LoSapio wrote:
I suspect that was the issue -
Of course moved on to something else (hostname removed)
Request ID '20140520151448':
status: CA_UNREACHABLE
ca-error: Server at https://ldapserver/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
The Not Found comes from the Apache proxy forwarding to the CA. This
usually means that while tomcat is up the CA webapp is not running. This
is usually caused by the audit subsystem killing it for having expired
certs, bad trust, etc. The CA debug log may hold more details.
The usual fix is to go back in time when the certs are still valid and
get certmonger to do the renewal for you.
rob
I assuming this new error is a result of my failed attempt at updating the
certificatesŠ.
Any idea if I was heading down the correct path? - I would have assumed
these certs would have renewed themselves since I¹m +3.0.
I see the Configure renewal section but its an odd situation where we have
to renew and reconfigureŠ
‹Mike
On 8/28/15, 7:45 PM, "Rob Crittenden" <rcrit...@redhat.com> wrote:
Mike LoSapio wrote:
Hey there -
I¹m working a FreeIPA box (ipa-server-3.0.0-42) - Our original PKI
³master² was nuked a while ago and I have a suspicion that none of the
other ³master² freeipa replicas were ³promoted² (sorry for the over-use
of ³ )
So we went ahead and ran through these instructions and are currently in
a weird state:
krb5 won¹t start and the getcert list command is returning
CA_UNREACHABLE
krb5kdc: Server error - while fetching master key K/M for realm
See if the LDAP server is running.
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm
This makes sense since the KDC isn't running.
So I don¹t think I can promote another master/replica ?
There really is no promotion, all IPA servers are masters. The only
difference is what extra services (CA, DNS) may be running and who
controls renewal and CRL generation. See
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
