[Freeipa-users] Possibly revoked my CA?

[Mike K]

We have several IPA servers, recently they got out of sync and in the
course of fixing things, I think we inadvertently revoked the CA.

When I try to get to ipa01 (the first one we built) in Firefox I get this
error:

An error occurred during a connection to ipa01-reston.xco.qq. Peer's
Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE

I can login to 02 & 03 just fine. But when I try to administer anything
certificate related under the GUI I get this error:

IPA Error 4301: CertificateOperationError

Certificate operation cannot be completed: Unable to communicate with CMS
(Internal Server Error)


===

2016-09-23T18:53:54Z    7241    MainThread      ipa     INFO    Deleting
schedule 2358-2359 0 from agreement
cn=meToipa01,cn=replica,cn=dc\=xxx\,dc\=xx,cn=mapping tree,cn=config
2016-09-23T18:53:55Z    7241    MainThread      ipa     INFO    Replication
Update in progress: FALSE: status: -1 Incremental update has failed and
requires administrator actionLDAP error: Can't contact LDAP server: start:
0: end: 0
2016-09-27T18:23:10Z    30695   MainThread      ipa     INFO    Getting
ldap service principals for conversion:
(krbprincipalname=ldap/ipa01-xxx at XXX.XX) and
(krbprincipalname=ldap/ipa04.xxx.xx at XXX.XX)


I'm thinking the cert is only revoked on 01, it should be replicated to
02-09. Is there any way to make sure that it doesn't fully replicate
revokation and bring it back to 01? If that's even the problem!


Thanks much,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160927/c0ceacf5/attachment.htm>