On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server): On the v4.6.4 replica (ipa<3>): $ sudo ipa config-show |grep 'CA renewal master' [sudo] password for <user>: $ $
On the v3.0.0 (ipa<1>): $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>: Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster)) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Hi, the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA 4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not surprised that the search does not return anything. When the 3.0 server was installed, the attribute did not exist yet. When the 4.x replica was installed, the attribute was not added since the new replica wasn't CA master.
As the attribute is not set at all, the ipa config-show command (internally using the same ldapsearch you did) is unable to find a CA master.
If you want to move the CA master role to ipa3, just follow the steps in [1], making sure to apply the steps for the corresponding IPA version.
Also please note that we do not recommend using versions 3.x and 4.x together over a long period of time. This is completely OK when you want to migrate but once you have ensured all the services are properly working, the 3.x master should be decommissioned. Please see [2]. HTH, flo
[1] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
$ sudo ipa server-role-find --role 'CA server' [sudo] password for <user>:
3 server roles matched
Server name: ipa<2>.mydomain.local Role name: CA server Role status: absent
Server name: ipa<1>.mydomain.local Role name: CA server Role status: enabled
Server name: ipa<3>.mydomain.local Role name: CA server Role status: absent
Number of entries returned 3
And on the v3.0.0 (ipa<1>) I get:
$ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caServer)) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
The way forward is not clear. -Steven Auerbach _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
After several weeks I am moving back to this project.
I am reading the "Howto/Promote CA to Renewal and CRL Master" documentation.
Background: When I added the Linux 7 / Ipa v4 system (ipa3) I used an export from the original ipa v3 (ipa1) as the input to an ipa-create-replica command.
When I execute the command for ipa version < 4.0 to verify certificate master on all three servers (ipa1 and ipa2 are v3.3, and ipa3 is v4.0) $ getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save the response I get post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" is the same on all three servers.
Several Questions: Is this as expected or does it indicate a problem? Since ipa3 is NOT the first master, what is the process to make an ipa v4 server the first master? Is this done before unconfiguring master status on the ipa v3 servers or after? Do I unconfigure master renewal on ipa1 and unconfigure clone renewal on ipa2? What to do about the same information on ipa3 (the ipa v4 server) at this point?
I have no lab in which to try this update, so I am making these changes across a production datacenter and I am EXCEEEDINGLY wary of breaking everything.
Advice appreciated.
Steven Auerbach ASSISTANT DIRECTOR OF INFORMATION SYSTEMS INFORMATION TECHNOLOGY & SECURITY State University System of Florida Board of Governors 325 W. Gaines Street, Suite 1625 Tallahassee, Florida 32399 (850) 245-9592 www.flbog.edu
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Tuesday, August 27, 2019 9:20 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Auerbach, Steven Steven.Auerbach@flbog.edu Subject: Re: [Freeipa-users] CA Master Confusion
On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server): On the v4.6.4 replica (ipa<3>): $ sudo ipa config-show |grep 'CA renewal master' [sudo] password for <user>: $ $
On the v3.0.0 (ipa<1>): $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>: Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster)) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Hi, the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA 4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not surprised that the search does not return anything. When the 3.0 server was installed, the attribute did not exist yet. When the 4.x replica was installed, the attribute was not added since the new replica wasn't CA master.
As the attribute is not set at all, the ipa config-show command (internally using the same ldapsearch you did) is unable to find a CA master.
If you want to move the CA master role to ipa3, just follow the steps in [1], making sure to apply the steps for the corresponding IPA version.
Also please note that we do not recommend using versions 3.x and 4.x together over a long period of time. This is completely OK when you want to migrate but once you have ensured all the services are properly working, the 3.x master should be decommissioned. Please see [2]. HTH, flo
[1] https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeip... [2] https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.red...
Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
$ sudo ipa server-role-find --role 'CA server' [sudo] password for <user>:
3 server roles matched
Server name: ipa<2>.mydomain.local Role name: CA server Role status: absent
Server name: ipa<1>.mydomain.local Role name: CA server Role status: enabled
Server name: ipa<3>.mydomain.local Role name: CA server Role status: absent
Number of entries returned 3
And on the v3.0.0 (ipa<1>) I get:
$ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caServer)) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
The way forward is not clear. -Steven Auerbach
freeipa-users@lists.fedorahosted.org