hi, I followed the instructions here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
and now after some issues I have a replica with both pki and dns data running centos 7. So now I have 3 replicas: centos 6.8: kdc01.unix.iriszorg.nl kdc02.unix.iriszorg.nl centos 7.2 kdc03.unix.iriszorg.nl The replica was created with an agreement to kdc01.unix.iriszorg.nl which was the master for crl updates. I followed the steps to disabled crlcache and crlupdates on the kdc01 and to enable them on the kdc03. So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and uncommented # Only enable this on servers that are not generating a CRL RewriteRule ^/ipa/crl/MasterCRL.bin https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] and on the kdc03 i commented this out: # Only enable this on servers that are not generating a CRL #RewriteRule ^/ipa/crl/MasterCRL.bin https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] When I try to resubmit certificates from certmonger they still hit the kdc01 web server, so the requests hang on an status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). Which was the problem on a recent thread on the list (trying to get rid of this replica now to fix this problem as well). So something is not redirecting properly and I would appreciate your assistance. TIA. -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
