Evan G via FreeIPA-users wrote:
Good afternoon.
We currently have FreeIPA v4.6.8 running on CentOS7. We have tried many of the solutions posted on this mailer however none have helped us bring the environment back online. Our current situation is as follows:
- We have a single master / single CA with a total of 4 FreeIPA (2 in each site) servers in production.
ipa config-show will tell you which one is the renewal master. All renewals need to start there.
- Replication is not working between the master and secondaries.
Are all certs expired or just some?
`getcert list` will tell us.
- The FreeIPA admin account password is working and we are able to kinit as admin
- We can bring the IPA services online by rolling the clock back to before the HTTP cert expired, however the CA refuses to sign any of our cert requests -- giving a Kerberos authentication error when CURL'd
I'm not sure what you are using CURL for.
- We are able to login to the HTTP interface with the services up and date rolled back, however we are unable to issue a new cert, we receive a 500 error in reaching the CA
Happy to provide any other requested info but we've been troubleshooting this for 3 days straight and we're coming up empty on every avenue.
You'll want to look at /var/log/pki/pki-tomcat/ca debug after a start. Read from the top down looking for start-up errors. Reading from the bottom up from the log usually leads to red herrings.
There is also a selfsign.log near that directory and it will tell you if start-up failed due to inconsistencies.
rob