If I have a pair of IPA servers and need to reinstall the one currently holding the CA master, is it actually necessary to promote the other one, or can I just follow the procedure to rebuild the current master via replication and then verify its CA configuration[1] after the fact?
Thanks,
-Rob
[1] Specifically, everything mentioned in https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
On Mon, Nov 12, 2018 at 03:55:13PM -0500, Rob Foehl via FreeIPA-users wrote:
If I have a pair of IPA servers and need to reinstall the one currently holding the CA master, is it actually necessary to promote the other one, or can I just follow the procedure to rebuild the current master via replication and then verify its CA configuration[1] after the fact?
Thanks,
-Rob
Hi Rob,
Can you please clarify, what is the procedure to rebuild the master via replication?
In any case, a CA replica is recommended in strong terms, whether rebuilding a master or not! But as long as you include the CA on the rebuilt master, there is no need to promote the replica to renewal/CRL master. Just ensure the renewal/CRL master configuration is correct at the end, as you suggested.
Cheers, Fraser
[1] Specifically, everything mentioned in https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
Can you please clarify, what is the procedure to rebuild the master via replication?
Honestly, no, as there isn't any clearly documented way to do this ;)
https://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform... is about as close as I've found. Current plan is to snapshot the VMs, then destroy the older one (current renewal master), replace with a new image, and install an IPA replica from the remaining server, using the same name as the prior one (possibly by force). If that doesn't work, same approach with extra steps to remove the old replica first.
Incidentally, this is partly the result of not being able to upgrade in place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when verifying the CA audit signing cert lifetime, as in this particular environment the IPA CA is signed by an external CA cert that expires in 2020. Is this bug-worthy?
-Rob
On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote:
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
Can you please clarify, what is the procedure to rebuild the master via replication?
Honestly, no, as there isn't any clearly documented way to do this ;)
https://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform... is about as close as I've found. Current plan is to snapshot the VMs, then destroy the older one (current renewal master), replace with a new image, and install an IPA replica from the remaining server, using the same name as the prior one (possibly by force). If that doesn't work, same approach with extra steps to remove the old replica first.
Thanks for elaborating. In this scenario you MUST install the CA role on the replica. But you need not promote it to renewal/CRL master, as long as you configure/verify the master to be renewal/CRL master after reinstalling it.
Incidentally, this is partly the result of not being able to upgrade in place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when verifying the CA audit signing cert lifetime, as in this particular environment the IPA CA is signed by an external CA cert that expires in 2020. Is this bug-worthy?
It's investiation-worthy. Please provide the output of:
- certutil -d /etc/pki/pki-tomcat/alias -L - certutil -d /etc/pki/pki-tomcat/alias -L -n 'auditSigningCert cert-pki-ca' - getcert list
Cheers, Fraser
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote:
Incidentally, this is partly the result of not being able to upgrade in place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when verifying the CA audit signing cert lifetime, as in this particular environment the IPA CA is signed by an external CA cert that expires in 2020. Is this bug-worthy?
It's investiation-worthy. Please provide the output of:
- certutil -d /etc/pki/pki-tomcat/alias -L
- certutil -d /etc/pki/pki-tomcat/alias -L -n 'auditSigningCert cert-pki-ca'
- getcert list
Hey Fraser,
Ever find any time to dig into the info I'd sent for this one?
-Rob
On Mon, 12 Nov 2018, Rob Foehl via FreeIPA-users wrote:
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
Can you please clarify, what is the procedure to rebuild the master via replication?
Honestly, no, as there isn't any clearly documented way to do this ;)
https://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform... is about as close as I've found. Current plan is to snapshot the VMs, then destroy the older one (current renewal master), replace with a new image, and install an IPA replica from the remaining server, using the same name as the prior one (possibly by force). If that doesn't work, same approach with extra steps to remove the old replica first.
Following up on this for posterity... Rebuilding the master by force did work eventually, although it was necessary to manually promote it as the renewal master even though the LDAP entry indicating it as such was never changed. Doing this also skewed the CA-issued certificate serial numbers by quite a lot on both replicas, and the newly reinstalled host doesn't have a whole lot in common with its former self beyond the hostname.
Should I be concerned about anything else potentially going amiss after this replacement?
Incidentally, this is partly the result of not being able to upgrade in place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when verifying the CA audit signing cert lifetime, as in this particular environment the IPA CA is signed by an external CA cert that expires in 2020. Is this bug-worthy?
And of course this remains an issue...
-Rob
freeipa-users@lists.fedorahosted.org