On Tue, 13 Nov 2018, Fraser Tweedale wrote:
Can you please clarify, what is the procedure to rebuild the master via replication?
Honestly, no, as there isn't any clearly documented way to do this ;)
https://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform... is about as close as I've found. Current plan is to snapshot the VMs, then destroy the older one (current renewal master), replace with a new image, and install an IPA replica from the remaining server, using the same name as the prior one (possibly by force). If that doesn't work, same approach with extra steps to remove the old replica first.
Incidentally, this is partly the result of not being able to upgrade in place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when verifying the CA audit signing cert lifetime, as in this particular environment the IPA CA is signed by an external CA cert that expires in 2020. Is this bug-worthy?
-Rob