[Freeipa-users] replica added, but clients still try renewing certificates with old master
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Sep 21 08:50:47 UTC 2016
hi,
I followed the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
and now after some issues I have a replica with both pki and dns data
running centos 7.
So now I have 3 replicas:
centos 6.8:
kdc01.unix.iriszorg.nl
kdc02.unix.iriszorg.nl
centos 7.2
kdc03.unix.iriszorg.nl
The replica was created with an agreement to kdc01.unix.iriszorg.nl which
was the master for crl updates. I followed the steps to disabled crlcache
and crlupdates on the kdc01 and to enable them on the kdc03.
So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and
uncommented
# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]
and on the kdc03 i commented this out:
# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]
When I try to resubmit certificates from certmonger they still hit the
kdc01 web server, so the requests hang on an status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
Which was the problem on a recent thread on the list (trying to get rid of
this replica now to fix this problem as well).
So something is not redirecting properly and I would appreciate your
assistance.
TIA.
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160921/76a299d5/attachment.htm>
More information about the Freeipa-users
mailing list