Jonathan Kelley via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my primary. I found this guide "Promote CA to Renewal and CRL Master Procedure in FreeIPA 4.0 or later https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master".
Server 1 failed in my case.
On server 2, I set enableCRLCache, enableCRLUpdates to false in /etc/pki/pki-tomcat/ca/CS.cfg
I restarted pki-tomcatd@pki-tomcat
I fixed the revokation rule in apache (enabled the rule)
I restarted httpd
Now the FreeIPA website says "Internal Server Error" and running kinit admin "kinit: Client's credentials have been revoked while getting initial credentials"
Before CA promotion the website and kinit seemed to be working fine on server 2. Is kerberos or LDAP or Kerberos broken now? What steps were missed to failover?
Could you post some logs please? I'm interested in Kerberos, but LDAP would be nice too. Also `ipactl status`.
Thanks, --Robbie