Thanks,
The working replica was installed without CA.
This is what I can find in the replica install log. from the replica that is working.
ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-replica.ams.mydomain.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'setup_ca': False, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'skip_conncheck': False}
DEBUG args=/usr/sbin/ipa-replica-conncheck --master master.bxl.mydomain --auto-master-check --realm MYDOMAIN --principal theboss --hostname replica.ams.mydomain
Is there a command that can be used to poll for the CA master ?
ROB VAN HALTEREN AV | IT System Engineer Entrepotdok 66 NL-1018 AD Amsterdam T: +31 20 530 9696 F: +31 20 530 9697 www.filmmore.eu http://www.filmmore.eu/
http://www.filmmore.eu/ http://twitter.com/filmmore http://www.facebook.com/FilmmoreINT/
Rob van Halteren via FreeIPA-users wrote:
Thanks,
The working replica was installed without CA.
This is what I can find in the replica install log. from the replica that is working.
ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-replica.ams.mydomain.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'setup_ca': False, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'skip_conncheck': False}
DEBUG args=/usr/sbin/ipa-replica-conncheck --master master.bxl.mydomain --auto-master-check --realm MYDOMAIN --principal theboss --hostname replica.ams.mydomain
Is there a command that can be used to poll for the CA master ?
Not sure what you mean by poll for the CA master. If that machine is gone/dead/otherwise not up then you don't have a lot of good options.
For newer IPAs a procedure was worked out so that a replacement CA can be created, https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost...
Read it very carefully as this is a disruptive operation and untested in IPA v3 (from a quick scan a bunch of the commands aren't even available in v3 like ipa ca-*, server-find, etc).
I don't know if this will work at all with v3.
Also note that this generates a completely brand new CA which means you'll need to distribute an updated /etc/ipa/ca.crt around and update or replace any existing certificates that have been issued.
You'll almost certainly want to snapshot your VM before proceeding.
rob
freeipa-users@lists.fedorahosted.org