I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my primary. I found this guide "Promote CA to Renewal and CRL Master Procedure in FreeIPA 4.0 or later https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master".
Server 1 failed in my case.
On server 2, I set enableCRLCache, enableCRLUpdates to false in /etc/pki/pki-tomcat/ca/CS.cfg
I restarted pki-tomcatd@pki-tomcat
I fixed the revokation rule in apache (enabled the rule)
I restarted httpd
Now the FreeIPA website says "Internal Server Error" and running kinit admin "kinit: Client's credentials have been revoked while getting initial credentials"
Before CA promotion the website and kinit seemed to be working fine on server 2. Is kerberos or LDAP or Kerberos broken now? What steps were missed to failover?
Jonathan Kelley via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my primary. I found this guide "Promote CA to Renewal and CRL Master Procedure in FreeIPA 4.0 or later https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master".
Server 1 failed in my case.
On server 2, I set enableCRLCache, enableCRLUpdates to false in /etc/pki/pki-tomcat/ca/CS.cfg
I restarted pki-tomcatd@pki-tomcat
I fixed the revokation rule in apache (enabled the rule)
I restarted httpd
Now the FreeIPA website says "Internal Server Error" and running kinit admin "kinit: Client's credentials have been revoked while getting initial credentials"
Before CA promotion the website and kinit seemed to be working fine on server 2. Is kerberos or LDAP or Kerberos broken now? What steps were missed to failover?
Could you post some logs please? I'm interested in Kerberos, but LDAP would be nice too. Also `ipactl status`.
Thanks, --Robbie
Robbie Harwood via FreeIPA-users wrote:
Jonathan Kelley via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my primary. I found this guide "Promote CA to Renewal and CRL Master Procedure in FreeIPA 4.0 or later https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master".
Server 1 failed in my case.
On server 2, I set enableCRLCache, enableCRLUpdates to false in /etc/pki/pki-tomcat/ca/CS.cfg
I restarted pki-tomcatd@pki-tomcat
I fixed the revokation rule in apache (enabled the rule)
I restarted httpd
Now the FreeIPA website says "Internal Server Error" and running kinit admin "kinit: Client's credentials have been revoked while getting initial credentials"
Before CA promotion the website and kinit seemed to be working fine on server 2. Is kerberos or LDAP or Kerberos broken now? What steps were missed to failover?
Could you post some logs please? I'm interested in Kerberos, but LDAP would be nice too. Also `ipactl status`.
I was thinking that the credentials revocation is unrelated but yeah, /var/log/httpd/error_log will tell you why that failed and if you want a few minutes then kinit admin may start working again.
rob
freeipa-users@lists.fedorahosted.org