On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's written here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on /etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi,
This issue is rather unusual, so I am trying to gather as much information as possible.
Can you check the output of 'ipa server-role-find' to check which servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...] --setup-ca, or did you first create the replica then run ipa-ca-install? Did you keep the installation log files (/var/log/ipareplica-install.log and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned? Flo