Ricardo Mendes wrote:
Hi Rob,
Thank you for all your help so far I haven't write back before, I've been swamped. Ok so I was going kinda crazy about the lost access to ldap. In the meanwhile we got developments on the server that had the freeipa replica and this is back up. So now I have this:
- Master is malfunctioning. pki-tomcat can't connect to the CMS as I had
described before this server is struggling.
- Replica is working fine. I can access to all services and everything
seems operational apart from what would need the CA Master.
Given this I was thinking that maybe the best scenario would be to promote the replica to master CA and completely decommission the failing server. I was going through this article, is this all I need to make the Replica the CA Master?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
You need to move the CRL generator and more importantly, set the CA renewal master. Also check DNA ranges, and a few more things IIRC. I think it's all in the docs.
I'd also stand up a 3rd master just in case.
rob
Hello again Rob,
I really would like to express my appreciation for the feedback you've been giving and trying to help man really amazing!
I have detailed some of the issues I'm going through now here: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
But basically, I disabled DNSSEC Master on the first server (last lines of the output on that link) that went reasonably well apart from the can't connect to CMS error. So then when I tried to setup the DNSSEC on the replica, it says there's already a DNSSEC key master. Basically anything that's done is out of sync.
One thing I did actually was to run “ipa-cacert-manage renew --self-signed” on the CA Master as I was looking to return to a more... comfortable/default configuration and also I was looking to see if maybe this would fix the pki-tomcat issue. It did not, but the command ran OK. but I think the other servers don't know about it.
I also tried to setup another master.
First installed ipa-client, output here: https://pastebin.com/4y8ipupc has some errors.
Then when installing replica, got the following: https://pastebin.com/JXVqSmLs
So it fails with wrong credentials BUT that server (id01) is the server that is accepting the correct DM password, and so I'm not being able to create another replica.
- If I removed the references to CA Master on the replica (id01) and for the dnssec key master manually, deleting references, could I then re-add that role to other replicas? - Is there any files I can copy from the replica that is working (and accepting the correct DM password) to the first master, to restore some functionality? Or even someway fix the pki-tomcat connection to LDAP?
Regarding the first master with the failing CMS, I've also been through Florence's blog, particularly this article: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat...
- the CS.cfg file seems normal with expected values - the "subsystemCert cert-pki-ca" is present - the private key can be read using the password - certmap.conf looks all correct - running the command "ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso" fails as DM password is rejected. But I am 100% on the DM password and the DM password works on the replica.
So I can't go past this on troubleshooting pki-tomcat.
I've been with this issues for so long that I'm starting to thing if I just should start a clean new setup and manually migrate things somehow manually? Everything just looks out of sync, completely broken and I am getting less hope each time. Been through the docs but the solutions proposed are not working, I've been trying a couple. There's always some errors, or it seems that something works, but then you realize it only worked locally, but was not propagated. (like the dnssec key master). Don't know where to turn next.
Kind regards, Ricardo
freeipa-users@lists.fedorahosted.org