We have several IPA servers, recently they got out of sync and in the course of fixing things, I think we inadvertently revoked the CA.
When I try to get to ipa01 (the first one we built) in Firefox I get this error: An error occurred during a connection to ipa01-reston.xco.qq. Peer's Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE I can login to 02 & 03 just fine. But when I try to administer anything certificate related under the GUI I get this error: IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) === 2016-09-23T18:53:54Z 7241 MainThread ipa INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01,cn=replica,cn=dc\=xxx\,dc\=xx,cn=mapping tree,cn=config 2016-09-23T18:53:55Z 7241 MainThread ipa INFO Replication Update in progress: FALSE: status: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server: start: 0: end: 0 2016-09-27T18:23:10Z 30695 MainThread ipa INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa01-...@xxx.xx) and (krbprincipalname=ldap/ipa04.xxx...@xxx.xx) I'm thinking the cert is only revoked on 01, it should be replicated to 02-09. Is there any way to make sure that it doesn't fully replicate revokation and bring it back to 01? If that's even the problem! Thanks much, Mike
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project