[Freeipa-users] certificate renewal stuck
Mike LoSapio
mlosapio at palantir.com
Sat Aug 29 00:03:22 UTC 2015
I suspect that was the issue -
Of course moved on to something else (hostname removed)
Request ID '20140520151448':
status: CA_UNREACHABLE
ca-error: Server at https://ldapserver/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
I assuming this new error is a result of my failed attempt at updating the
certificatesŠ.
Any idea if I was heading down the correct path? - I would have assumed
these certs would have renewed themselves since I¹m +3.0.
I see the Configure renewal section but its an odd situation where we have
to renew and reconfigureŠ
‹Mike
On 8/28/15, 7:45 PM, "Rob Crittenden" <rcritten at redhat.com> wrote:
>Mike LoSapio wrote:
>> Hey there -
>>
>> I¹m working a FreeIPA box (ipa-server-3.0.0-42) - Our original PKI
>> ³master² was nuked a while ago and I have a suspicion that none of the
>> other ³master² freeipa replicas were ³promoted² (sorry for the over-use
>> of ³ )
>>
>>
>> So we went ahead and ran through these instructions and are currently in
>> a weird state:
>>
>> krb5 won¹t start and the getcert list command is returning
>>CA_UNREACHABLE
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>
>See if the LDAP server is running.
>
>> status: CA_UNREACHABLE
>> ca-error: Error setting up ccache for "host" service on client using
>> default keytab: Cannot contact any KDC for realm
>
>This makes sense since the KDC isn't running.
>
>> So I don¹t think I can promote another master/replica ?
>
>There really is no promotion, all IPA servers are masters. The only
>difference is what extra services (CA, DNS) may be running and who
>controls renewal and CRL generation. See
>
>rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5032 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150829/b3c5bf14/attachment.p7s>
More information about the Freeipa-users
mailing list