On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi Florence,
Let me give more info about our FreeIPA infraestructure. We have 8 servers in different zones, 2 per zone.
Last year we installed the first two IPAs, one from scratch and the other its first replica, and both with DNS and CA. CA certificates generated by IPA itself, no external ones. Then we replicated them to other two zones, but with DNS capability only
Now we like to move the first ones to another zone, so we created two more replicas, but this time with CA: "ipa-replica-install --setup-dns --setup-ca--no-forwarders"
The info you've asked :
Can you check the output of 'ipa server-role-find' to check which servers
have the CA capability and 'ipa config-show'?
ipa server-role-find shows:
Role name: CA server Role status: enabled
for all the four masters, the first ones, and the latest ones. The other four have "Role status: disabled".
ipa config-show shows the same four instances as before on "IPA CA servers:"
Were the replicas created with the option ipa-replica-install [...]
--setup-ca, or did you first create the replica then run ipa-ca-install?
ipa-replica-install --setup-ca
Did you keep the installation log files (/var/log/ipareplica-install.log
and /var/log/ipareplica-ca-install.log)?
Yes, the CA replicas were installed yesterday. I prefer to not disclose this logs. Is it OK to send them to you directly?
Did you initially have a CA master that was later decommissioned?
No, the CA master should be the first IPA installed, still running and working OK.
Thanks!
On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's
written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is
blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have
"ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi,
This issue is rather unusual, so I am trying to gather as much information as possible.
Can you check the output of 'ipa server-role-find' to check which servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...] --setup-ca, or did you first create the replica then run ipa-ca-install? Did you keep the installation log files (/var/log/ipareplica-install.log and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned? Flo
Hi,
I had a quick look at the code for changing the renewal master, and the command succeeds even if you do not have any server currently marked as CA renewal master.
Re. the CRL generation master, you need to make sure that your new CA renewal master is the only one with enableCRLCache=true and enableCRLUpdates=true, and with the RewriteRule disabled. All the other masters need to have enableCRLCache=false, enableCRLUpdates=false and the RewriteRule enabled.
HTH, Flo