I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA.
So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them...
Bret Wortman via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA.
So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them...
I'd start looking for the ca data in LDAP. If you still have it, you might be lucky - if not there's no way to recreate the data (beside from a backup of the failed server - which I guess doesn't exist any longer).
Do you have a tree o=ipaca in your LDAP?
Jochen
If this is the correct search, then no. It's gone.
# ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W Enter LDAP Password:
# extended LDIF # # LDAPv3 # base <o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
On 02/21/2018 11:45 AM, Jochen Hein wrote:
Bret Wortman via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA.
So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them...
I'd start looking for the ca data in LDAP. If you still have it, you might be lucky - if not there's no way to recreate the data (beside from a backup of the failed server - which I guess doesn't exist any longer).
Do you have a tree o=ipaca in your LDAP?
Jochen
Bret Wortman via FreeIPA-users wrote:
If this is the correct search, then no. It's gone.
# ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W Enter LDAP Password:
# extended LDIF # # LDAPv3 # base <o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
It wouldn't matter much anyway because the private keys aren't stored in LDAP. What you'd need is the cacert.p12 generated by the original installation.
The dogtag team has some instructions for standing up a new CA with just the certs but the IPA team hasn't had time to evaluate them at all, http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_Certificates_u...
This seems to assume you have an existing, working server as well.
But basically if you don't have the original CA keys anywhere you are completely dead in the water. If you have them there is a remote chance you could stand up a replacement CA but:
- we can't help you do it because we've never done it - we don't know what sort of dragons would be lurking (revocations would blow up, for example, because the certs aren't there because you don't have o=ipaca).
rob
On 02/21/2018 11:45 AM, Jochen Hein wrote:
Bret Wortman via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA.
So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them...
I'd start looking for the ca data in LDAP. If you still have it, you might be lucky - if not there's no way to recreate the data (beside from a backup of the failed server - which I guess doesn't exist any longer).
Do you have a tree o=ipaca in your LDAP?
Jochen
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I found a /root/cacert.p12 file on both of the original servers. Is there a way to tell if one of them is the right one? They're not identical. I doubt they're from the original ca but it might be worth a look.
If not, then I guess I'm back to focusing on my other question about logins over ssh versus console & GDM and moving forward with a completely new installation while trying to retain as much data as possible.
Thanks for your help on this, guys.
Bret
On 02/21/2018 03:47 PM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
If this is the correct search, then no. It's gone.
# ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W Enter LDAP Password:
# extended LDIF # # LDAPv3 # base <o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
It wouldn't matter much anyway because the private keys aren't stored in LDAP. What you'd need is the cacert.p12 generated by the original installation.
The dogtag team has some instructions for standing up a new CA with just the certs but the IPA team hasn't had time to evaluate them at all, http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_Certificates_u...
This seems to assume you have an existing, working server as well.
But basically if you don't have the original CA keys anywhere you are completely dead in the water. If you have them there is a remote chance you could stand up a replacement CA but:
- we can't help you do it because we've never done it
- we don't know what sort of dragons would be lurking (revocations would
blow up, for example, because the certs aren't there because you don't have o=ipaca).
rob
On 02/21/2018 11:45 AM, Jochen Hein wrote:
Bret Wortman via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA.
So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them...
I'd start looking for the ca data in LDAP. If you still have it, you might be lucky - if not there's no way to recreate the data (beside from a backup of the failed server - which I guess doesn't exist any longer).
Do you have a tree o=ipaca in your LDAP?
Jochen
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Bret Wortman via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
If this is the correct search, then no. It's gone.
Now, if you don't have the private keys any longer (see Rob's mail), we should consider your CA really gone. I'd look at ipa-ca-install and something like https://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion. You'll need to refresh the CA certs and certificates on all clients after recreating a new CA. Use a new CA subject with --subject...
Getting dogtag going probably won't be easy, but we'll see. I had problems after cert renewal, but got dogtag up with password authentication temporarily and could fix certs/ldap.
Jochen
hi,
On Wed, Feb 21, 2018 at 4:48 PM, Bret Wortman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA.
So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them...
I think you should read this carefully, but it should work:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
The whole CA data is replicated among all ldap servers, so it should be fixable.
Good luck!
I think you should read this carefully, but it should work:
https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ guide/server-roles#server-roles-promote-to-ca
The whole CA data is replicated among all ldap servers, so it should be fixable.
This is true obviously only if you installed the replicas with the CA services, of course.
We built brand new servers, took xml dumps from the existing ones, wrote custom scripts to load that into the new ones, and spent a weekend cutting over. So yes, but no. We now have a functioning CA but it wasn't exactly replaced; we had to build a new set of replicas around it.
On 09/26/2018 10:36 AM, Andrey Bondarenko via FreeIPA-users wrote:
Bret, did you have any luck in the end of the day? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org