Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's written here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on /etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you
On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's written here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on /etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi,
This issue is rather unusual, so I am trying to gather as much information as possible.
Can you check the output of 'ipa server-role-find' to check which servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...] --setup-ca, or did you first create the replica then run ipa-ca-install? Did you keep the installation log files (/var/log/ipareplica-install.log and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned? Flo
Hi Florence,
Let me give more info about our FreeIPA infraestructure. We have 8 servers in different zones, 2 per zone.
Last year we installed the first two IPAs, one from scratch and the other its first replica, and both with DNS and CA. CA certificates generated by IPA itself, no external ones. Then we replicated them to other two zones, but with DNS capability only
Now we like to move the first ones to another zone, so we created two more replicas, but this time with CA: "ipa-replica-install --setup-dns --setup-ca--no-forwarders"
The info you've asked :
Can you check the output of 'ipa server-role-find' to check which servers
have the CA capability and 'ipa config-show'?
ipa server-role-find shows:
Role name: CA server Role status: enabled
for all the four masters, the first ones, and the latest ones. The other four have "Role status: disabled".
ipa config-show shows the same four instances as before on "IPA CA servers:"
Were the replicas created with the option ipa-replica-install [...]
--setup-ca, or did you first create the replica then run ipa-ca-install?
ipa-replica-install --setup-ca
Did you keep the installation log files (/var/log/ipareplica-install.log
and /var/log/ipareplica-ca-install.log)?
Yes, the CA replicas were installed yesterday. I prefer to not disclose this logs. Is it OK to send them to you directly?
Did you initially have a CA master that was later decommissioned?
No, the CA master should be the first IPA installed, still running and working OK.
Thanks!
On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's
written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is
blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have
"ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi,
This issue is rather unusual, so I am trying to gather as much information as possible.
Can you check the output of 'ipa server-role-find' to check which servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...] --setup-ca, or did you first create the replica then run ipa-ca-install? Did you keep the installation log files (/var/log/ipareplica-install.log and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned? Flo
On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi Florence,
Let me give more info about our FreeIPA infraestructure. We have 8 servers in different zones, 2 per zone.
Last year we installed the first two IPAs, one from scratch and the other its first replica, and both with DNS and CA. CA certificates generated by IPA itself, no external ones. Then we replicated them to other two zones, but with DNS capability only
Now we like to move the first ones to another zone, so we created two more replicas, but this time with CA: "ipa-replica-install --setup-dns --setup-ca--no-forwarders"
The info you've asked :
Can you check the output of 'ipa server-role-find' to check which servers
have the CA capability and 'ipa config-show'?
ipa server-role-find shows:
Role name: CA server Role status: enabled
for all the four masters, the first ones, and the latest ones. The other four have "Role status: disabled".
ipa config-show shows the same four instances as before on "IPA CA servers:"
Were the replicas created with the option ipa-replica-install [...]
--setup-ca, or did you first create the replica then run ipa-ca-install?
ipa-replica-install --setup-ca
Did you keep the installation log files (/var/log/ipareplica-install.log
and /var/log/ipareplica-ca-install.log)?
Yes, the CA replicas were installed yesterday. I prefer to not disclose this logs. Is it OK to send them to you directly?
Did you initially have a CA master that was later decommissioned?
No, the CA master should be the first IPA installed, still running and working OK.
Thanks!
On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's
written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is
blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have
"ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi,
This issue is rather unusual, so I am trying to gather as much information as possible.
Can you check the output of 'ipa server-role-find' to check which servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...] --setup-ca, or did you first create the replica then run ipa-ca-install? Did you keep the installation log files (/var/log/ipareplica-install.log and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned? Flo
Hi,
I had a quick look at the code for changing the renewal master, and the command succeeds even if you do not have any server currently marked as CA renewal master.
Re. the CRL generation master, you need to make sure that your new CA renewal master is the only one with enableCRLCache=true and enableCRLUpdates=true, and with the RewriteRule disabled. All the other masters need to have enableCRLCache=false, enableCRLUpdates=false and the RewriteRule enabled.
HTH, Flo
Hi,
Sorry about no replying to this, we cannot try it till now.
We've followed the doc, and it seems to work ok, certficates can be issued without problems, so we hope that autorenewal works too.
But we have a little problem, if we try to access to the certificates section of a CA-less replica, it tries to connect to the old master, giving:
IPA 4301: CertificateOperationError: Unable to communicate with CMS ([Errno -2] Name or service not known)
The old master cannot be resolved anymore, because it was removed from the topology.
We've tried to restart all services, but it seems to be cached somewhere.
Thanks
On Wed, May 30, 2018 at 6:26 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi Florence,
Let me give more info about our FreeIPA infraestructure. We have 8
servers
in different zones, 2 per zone.
Last year we installed the first two IPAs, one from scratch and the other its first replica, and both with DNS and CA. CA certificates generated by IPA itself, no external ones. Then we replicated them to other two zones, but with DNS capability only
Now we like to move the first ones to another zone, so we created two
more
replicas, but this time with CA: "ipa-replica-install --setup-dns --setup-ca--no-forwarders"
The info you've asked :
Can you check the output of 'ipa server-role-find' to check which
servers
have the CA capability and 'ipa config-show'?
ipa server-role-find shows:
Role name: CA server Role status: enabled
for all the four masters, the first ones, and the latest ones. The other four have "Role status: disabled".
ipa config-show shows the same four instances as before on "IPA CA
servers:"
Were the replicas created with the option ipa-replica-install [...]
--setup-ca, or did you first create the replica then run ipa-ca-install?
ipa-replica-install --setup-ca
Did you keep the installation log files (/var/log/ipareplica-install.log
and /var/log/ipareplica-ca-install.log)?
Yes, the CA replicas were installed yesterday. I prefer to not disclose this logs. Is it OK to send them to you directly?
Did you initially have a CA master that was later decommissioned?
No, the CA master should be the first IPA installed, still running and working OK.
Thanks!
On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users
wrote:
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's
written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is
blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have
"ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi,
This issue is rather unusual, so I am trying to gather as much information as possible.
Can you check the output of 'ipa server-role-find' to check which servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...] --setup-ca, or did you first create the replica then run ipa-ca-install? Did you keep the installation log files (/var/log/ipareplica-install.log and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned? Flo
Hi,
I had a quick look at the code for changing the renewal master, and the command succeeds even if you do not have any server currently marked as CA renewal master.
Re. the CRL generation master, you need to make sure that your new CA renewal master is the only one with enableCRLCache=true and enableCRLUpdates=true, and with the RewriteRule disabled. All the other masters need to have enableCRLCache=false, enableCRLUpdates=false and the RewriteRule enabled.
HTH, Flo
On 06/26/2018 03:08 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
Sorry about no replying to this, we cannot try it till now.
We've followed the doc, and it seems to work ok, certficates can be issued without problems, so we hope that autorenewal works too.
But we have a little problem, if we try to access to the certificates section of a CA-less replica, it tries to connect to the old master, giving:
IPA 4301: CertificateOperationError: Unable to communicate with CMS ([Errno -2] Name or service not known)
The old master cannot be resolved anymore, because it was removed from the topology.
We've tried to restart all services, but it seems to be cached somewhere.
Hi,
can you check in /etc/ipa/default.conf if ca_host points to the removed master? If it is the case, replace ca_host with your new renewal master.
Flo
Thanks
On Wed, May 30, 2018 at 6:26 PM Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: > Hi Florence, > > Let me give more info about our FreeIPA infraestructure. We have 8 servers > in different zones, 2 per zone. > > Last year we installed the first two IPAs, one from scratch and the other > its first replica, and both with DNS and CA. CA certificates generated by > IPA itself, no external ones. > Then we replicated them to other two zones, but with DNS capability only > > Now we like to move the first ones to another zone, so we created two more > replicas, but this time with CA: "ipa-replica-install --setup-dns > --setup-ca--no-forwarders" > > The info you've asked : > >> Can you check the output of 'ipa server-role-find' to check which servers > have the CA capability and 'ipa config-show'? > > ipa server-role-find shows: > > Role name: CA server > Role status: enabled > > for all the four masters, the first ones, and the latest ones. The other > four have "Role status: disabled". > > ipa config-show shows the same four instances as before on "IPA CA servers:" > >> Were the replicas created with the option ipa-replica-install [...] > --setup-ca, or did you first create the replica then run ipa-ca-install? > > ipa-replica-install --setup-ca > >> Did you keep the installation log files (/var/log/ipareplica-install.log > and /var/log/ipareplica-ca-install.log)? > > Yes, the CA replicas were installed yesterday. I prefer to not disclose > this logs. Is it OK to send them to you directly? > >> Did you initially have a CA master that was later decommissioned? > > No, the CA master should be the first IPA installed, still running and > working OK. > > Thanks! > > On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com>> > wrote: > >> On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: >>> Hi, >>> >>> We've created a new replica from our FreeIPA infrastructure, with CA >>> capabilities. Now we want it to be the CA renewal master, as it's > written >>> here: >>> >>> https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >>> >>> However, the first step, knowing which is the present master, is > blocking >>> us. ldapsearch does not return the info we need: >>> >>> ldapsearch -D 'cn=Directory Manager' -W -b >>> 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' >>> '(ipaConfigString=caRenewalMaster)' dn >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree >>> # filter: (ipaConfigString=caRenewalMaster) >>> # requesting: dn >>> # >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> Neither one of the servers have > "ca.crl.MasterCRL.enableCRLUpdates=true" on >>> /etc/pki/pki-tomcat/ca/CS.cfg >>> >>> Is there any more updated doc about this? >>> >>> All FreeIPA servers are: >>> >>> CentOS Linux release 7.5.1804 (Core) >>> VERSION: 4.5.4, API_VERSION: 2.228 >>> >>> Thank you >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >>> To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5BWQC2VTIXEMWARWPJA5QSKRKIVRGKXL/ >>> > >> Hi, > >> This issue is rather unusual, so I am trying to gather as much >> information as possible. > >> Can you check the output of 'ipa server-role-find' to check which >> servers have the CA capability and 'ipa config-show'? > >> Were the replicas created with the option ipa-replica-install [...] >> --setup-ca, or did you first create the replica then run ipa-ca-install? >> Did you keep the installation log files (/var/log/ipareplica-install.log >> and /var/log/ipareplica-ca-install.log)? > >> Did you initially have a CA master that was later decommissioned? >> Flo > > > Hi, I had a quick look at the code for changing the renewal master, and the command succeeds even if you do not have any server currently marked as CA renewal master. Re. the CRL generation master, you need to make sure that your new CA renewal master is the only one with enableCRLCache=true and enableCRLUpdates=true, and with the RewriteRule disabled. All the other masters need to have enableCRLCache=false, enableCRLUpdates=false and the RewriteRule enabled. HTH, Flo
-- Carlos Fernández Manteiga *BitBan* Technologies S.L.
E-mail: cfernandez@bitban.com mailto:cfernandez@bitban.com
Tel.: (+34) 91 433 76 83
C/ Princesa, 2, 6ª-1 28008 Madrid
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Yes!, the old server was referenced there. Changed it and restarted httpd.
Can I suggest to update the doc with this?
Thank you so much Florence.
On Tue, Jun 26, 2018 at 4:04 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 06/26/2018 03:08 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
Sorry about no replying to this, we cannot try it till now.
We've followed the doc, and it seems to work ok, certficates can be issued without problems, so we hope that autorenewal works too.
But we have a little problem, if we try to access to the certificates section of a CA-less replica, it tries to connect to the old master,
giving:
IPA 4301: CertificateOperationError: Unable to communicate with CMS ([Errno -2] Name or service not known)
The old master cannot be resolved anymore, because it was removed from the topology.
We've tried to restart all services, but it seems to be cached somewhere.
Hi,
can you check in /etc/ipa/default.conf if ca_host points to the removed master? If it is the case, replace ca_host with your new renewal master.
Flo
Thanks
On Wed, May 30, 2018 at 6:26 PM Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: > Hi Florence, > > Let me give more info about our FreeIPA infraestructure. We have 8 servers > in different zones, 2 per zone. > > Last year we installed the first two IPAs, one from scratch and the other > its first replica, and both with DNS and CA. CA certificates generated by > IPA itself, no external ones. > Then we replicated them to other two zones, but with DNS capability only > > Now we like to move the first ones to another zone, so we created two more > replicas, but this time with CA: "ipa-replica-install --setup-dns > --setup-ca--no-forwarders" > > The info you've asked : > >> Can you check the output of 'ipa server-role-find' to check which servers > have the CA capability and 'ipa config-show'? > > ipa server-role-find shows: > > Role name: CA server > Role status: enabled > > for all the four masters, the first ones, and the latest ones. The other > four have "Role status: disabled". > > ipa config-show shows the same four instances as before on "IPA CA servers:" > >> Were the replicas created with the option ipa-replica-install
[...]
> --setup-ca, or did you first create the replica then run ipa-ca-install? > > ipa-replica-install --setup-ca > >> Did you keep the installation log files (/var/log/ipareplica-install.log > and /var/log/ipareplica-ca-install.log)? > > Yes, the CA replicas were installed yesterday. I prefer to not disclose > this logs. Is it OK to send them to you directly? > >> Did you initially have a CA master that was later decommissioned? > > No, the CA master should be the first IPA installed, still running and > working OK. > > Thanks! > > On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com>> > wrote: > >> On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: >>> Hi, >>> >>> We've created a new replica from our FreeIPA infrastructure, with CA >>> capabilities. Now we want it to be the CA renewal master, as
it's
> written >>> here: >>> >>>
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>> >>> However, the first step, knowing which is the present master, is > blocking >>> us. ldapsearch does not return the info we need: >>> >>> ldapsearch -D 'cn=Directory Manager' -W -b >>> 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' >>> '(ipaConfigString=caRenewalMaster)' dn >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree >>> # filter: (ipaConfigString=caRenewalMaster) >>> # requesting: dn >>> # >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> Neither one of the servers have > "ca.crl.MasterCRL.enableCRLUpdates=true" on >>> /etc/pki/pki-tomcat/ca/CS.cfg >>> >>> Is there any more updated doc about this? >>> >>> All FreeIPA servers are: >>> >>> CentOS Linux release 7.5.1804 (Core) >>> VERSION: 4.5.4, API_VERSION: 2.228 >>> >>> Thank you >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >>> To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
>>> > >> Hi, > >> This issue is rather unusual, so I am trying to gather as much >> information as possible. > >> Can you check the output of 'ipa server-role-find' to check which >> servers have the CA capability and 'ipa config-show'? > >> Were the replicas created with the option ipa-replica-install
[...]
>> --setup-ca, or did you first create the replica then run ipa-ca-install? >> Did you keep the installation log files (/var/log/ipareplica-install.log >> and /var/log/ipareplica-ca-install.log)? > >> Did you initially have a CA master that was later decommissioned? >> Flo > > > Hi, I had a quick look at the code for changing the renewal master, and
the
command succeeds even if you do not have any server currently marked
as
CA renewal master. Re. the CRL generation master, you need to make sure that your new CA renewal master is the only one with enableCRLCache=true and enableCRLUpdates=true, and with the RewriteRule disabled. All the
other
masters need to have enableCRLCache=false, enableCRLUpdates=false and the RewriteRule enabled. HTH, Flo
-- Carlos Fernández Manteiga *BitBan* Technologies S.L.
E-mail: cfernandez@bitban.com mailto:cfernandez@bitban.com
Tel.: (+34) 91 433 76 83
C/ Princesa, 2, 6ª-1 28008 Madrid
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org