Hi,

Sorry about no replying to this, we cannot try it till now.

We've followed the doc, and it seems to work ok, certficates can be issued without problems, so we hope that autorenewal works too.

But we have a little problem, if we try to access to the certificates section of a CA-less replica, it tries to connect to the old master, giving:

IPA 4301: CertificateOperationError: Unable to communicate with CMS ([Errno -2] Name or service not known)

The old master cannot be resolved anymore, because it was removed from the topology.

We've tried to restart all services, but it seems to be cached somewhere.

Thanks


On Wed, May 30, 2018 at 6:26 PM Florence Blanc-Renaud <flo@redhat.com> wrote:
On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
> Hi Florence,
>
> Let me give more info about our FreeIPA infraestructure. We have 8 servers
> in different zones, 2 per zone.
>
> Last year we installed the first two IPAs, one from scratch and the other
> its first replica, and both with DNS and CA. CA certificates generated by
> IPA itself, no external ones.
> Then we replicated them to other two zones, but with DNS capability only
>
> Now we like to move the first ones to another zone, so we created two more
> replicas, but this time with CA: "ipa-replica-install --setup-dns
> --setup-ca--no-forwarders"
>
> The info you've asked :
>
>> Can you check the output of 'ipa server-role-find' to check which servers
> have the CA capability and 'ipa config-show'?
>
> ipa server-role-find shows:
>
>     Role name: CA server
>     Role status: enabled
>
> for all the four masters, the first ones, and the latest ones. The other
> four have "Role status: disabled".
>
> ipa config-show shows the same four instances as before on "IPA CA servers:"
>
>> Were the replicas created with the option ipa-replica-install [...]
> --setup-ca, or did you first create the replica then run ipa-ca-install?
>
> ipa-replica-install --setup-ca
>
>> Did you keep the installation log files (/var/log/ipareplica-install.log
> and /var/log/ipareplica-ca-install.log)?
>
> Yes, the CA replicas were installed yesterday. I prefer to not disclose
> this logs. Is it OK to send them to you directly?
>
>> Did you initially have a CA master that was later decommissioned?
>
> No, the CA master should be the first IPA installed, still running and
> working OK.
>
> Thanks!
>
> On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud <flo@redhat.com>
> wrote:
>
>> On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
>>> Hi,
>>>
>>> We've created a new replica from our FreeIPA infrastructure, with CA
>>> capabilities. Now we want it to be the CA renewal master, as it's
> written
>>> here:
>>>
>>> https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>>
>>> However, the first step, knowing which is the present master, is
> blocking
>>> us. ldapsearch does not return the info we need:
>>>
>>> ldapsearch -D 'cn=Directory Manager' -W -b
>>> 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int'
>>> '(ipaConfigString=caRenewalMaster)' dn
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree
>>> # filter: (ipaConfigString=caRenewalMaster)
>>> # requesting: dn
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 1
>>>
>>> Neither one of the servers have
> "ca.crl.MasterCRL.enableCRLUpdates=true" on
>>> /etc/pki/pki-tomcat/ca/CS.cfg
>>>
>>> Is there any more updated doc about this?
>>>
>>> All FreeIPA servers are:
>>>
>>> CentOS Linux release 7.5.1804 (Core)
>>> VERSION: 4.5.4, API_VERSION: 2.228
>>>
>>> Thank you
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5BWQC2VTIXEMWARWPJA5QSKRKIVRGKXL/
>>>
>
>> Hi,
>
>> This issue is rather unusual, so I am trying to gather as much
>> information as possible.
>
>> Can you check the output of 'ipa server-role-find' to check which
>> servers have the CA capability and 'ipa config-show'?
>
>> Were the replicas created with the option ipa-replica-install [...]
>> --setup-ca, or did you first create the replica then run ipa-ca-install?
>> Did you keep the installation log files (/var/log/ipareplica-install.log
>> and /var/log/ipareplica-ca-install.log)?
>
>> Did you initially have a CA master that was later decommissioned?
>> Flo
>
>
>

Hi,

I had a quick look at the code for changing the renewal master, and the
command succeeds even if you do not have any server currently marked as
CA renewal master.

Re. the CRL generation master, you need to make sure that your new CA
renewal master is the only one with enableCRLCache=true and
enableCRLUpdates=true, and with the RewriteRule disabled. All the other
masters need to have enableCRLCache=false, enableCRLUpdates=false and
the RewriteRule enabled.

HTH,
Flo


--
Carlos Fernández Manteiga
BitBan Technologies S.L.

E-mail: cfernandez@bitban.com


C/ Princesa, 2, 6ª-1
28008 Madrid