Have you checked certificates ? https://www.freeipa.org/page/Certmonger#Get_a_list_of_currently_tracked_certificates <https://www.freeipa.org/page/Certmonger#Get_a_list_of_currently_tracked_certificates>
Have you check Kerberos logs, Dirsv logs, Tomcat logs? https://www.freeipa.org/page/Troubleshooting/Administration_and_Web_UI <https://www.freeipa.org/page/Troubleshooting/Administration_and_Web_UI> > On 6 Dec 2019, at 17:29, Christian Reiss via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hey Angus, > > thanks for replying. Allow me to reply inline: > > On 06/12/2019 16:00, Angus Clarke wrote: >> Have you checked your times are in sync within 5 minutes? > > Yes. And it's monitored. > >> Have you checked DNS is working for all node entries between all nodes? > > Yes. And it's monitored. Even PTR <-> A check. > >> Have you used ipactl [status|restart|stop]? > > Yes. > > [root@auth1:~] # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful > > [root@auth2:~] # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful > > auth3 is down. > >> -> Do you see certain services fail and have you checked their logs? > > Well thats the wild thing. ipa cli (host remove, host add etc) all work from > auth1 (which the webui does not allow access). And all changes are propagated > to auth2. Same for the other way around. > > It's just the login to auth1. > >> I'm hoping your remaining IPA server is the renewal master: >> On remaining good server: >> kinit admin >> ipa config-show | grep "IPA CA renewal master" > > auth1 and auth2 agree on auth1 being the IPA CA renewal master. > >> If it is then the following rebuild instructions should be ok. >> If it is not, then you prolly need some other advice (I haven't faced that >> situation yet ...) > > [...] > > The following items seem to mix my two problems. > > a) auth1 web login broken, > b) auth3 needs re-setup. > > Any clue on how to debug the web login (or lack thereof) issue? > Chedked httpd logs, nothing to see there in the error logs.... > > Cheers, > Chris. > > -- > Christian Reiss - em...@christian-reiss.de /"\ ASCII Ribbon > supp...@alpha-labs.net \ / Campaign > X against HTML > WEB alpha-labs.net / \ in eMails > > GPG Retrieval https://gpg.christian-reiss.de > GPG ID ABCD43C5, 0x44E29126ABCD43C5 > GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5 > > "It's better to reign in hell than to serve in heaven.", > John Milton, Paradise lost. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > ----------------------------------------------------------------------------------- > > This e-mail can not be trusted due to SPF/DKIM validation failed. > > ----------------------------------------------------------------------------------- >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org