Sina Owolabi via FreeIPA-users wrote:
Hi!
I am running a small IPA domain (CentOS 7 servers, ipa version 4.5.4,
api version 2.228), with one master, and two replicas, and I noticed
that pki-tomcatd no longer works on the master, after attempting a
reboot.
pki-tomcatd works fine on the slaves.
I noticed if I try to run IPA functions (dns record removal, hosts
management, user passwords, etc), I receive responses like this:
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)
But on the replicas, functions work fine.
Please can someone guide me on how to fix this?
The CA log is in /var/log/pki/pki-tomcat/ca/debug. That may have some
pointers. I'd look at selftests.log first.
My guess is that some of the CA certificates have failed to renew.
getcert list | grep -i expires
rob