Ricardo Mendes via FreeIPA-users wrote:
Hello again Rob,
I really would like to express my appreciation for the feedback you've
been giving and trying to help man really amazing!
I have detailed some of the issues I'm going through now here:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
But basically, I disabled DNSSEC Master on the first server (last lines
of the output on that link) that went reasonably well apart from the
can't connect to CMS error. So then when I tried to setup the DNSSEC on
the replica, it says there's already a DNSSEC key master. Basically
anything that's done is out of sync.
See
https://www.freeipa.org/page/Howto/DNSSEC#Migrate_DNSSEC_master_to_anothe...
One thing I did actually was to run “ipa-cacert-manage renew
--self-signed” on the CA Master as I was looking to return to a more...
comfortable/default configuration and also I was looking to see if maybe
this would fix the pki-tomcat issue. It did not, but the command ran OK.
but I think the other servers don't know about it.
Uhh. Your CA was already self-signed wasn't it? All you did before was
replace the HTTP and LDAP certs right?
I also tried to setup another master.
First installed ipa-client, output here:
https://pastebin.com/4y8ipupc
has some errors.
What is the server idi3? It reports as an IPA master but it wasn't verified.
Then when installing replica, got the following:
https://pastebin.com/JXVqSmLs
So it fails with wrong credentials BUT that server (id01) is the server
that is accepting the correct DM password, and so I'm not being able to
create another replica.
It isn't the DM password that is bad it's something else. Look at the
log file as the output suggests, it may have additional details.
- If I removed the references to CA Master on the replica (id01) and
for
the dnssec key master manually, deleting references, could I then re-add
that role to other replicas?
You have to have a CA to clone from. For DNSSEC yes, see the link above.
- Is there any files I can copy from the replica that is working
(and
accepting the correct DM password) to the first master, to restore some
functionality? Or even someway fix the pki-tomcat connection to LDAP?
It is likely not something that straightforward.
Regarding the first master with the failing CMS, I've also been
through
Florence's blog, particularly this article:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
- the CS.cfg file seems normal with expected values
- the "subsystemCert cert-pki-ca" is present
- the private key can be read using the password
- certmap.conf looks all correct
- running the command "ldapsearch -LLL -D 'cn=directory manager' -W -b
uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso"
fails as DM password is rejected. But I am 100% on the DM password and
the DM password works on the replica.
Then perhaps it really is different. The DM password isn't replicated.
You might try copying the hash from the working to the non-working
master. See
https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpas...
And then follow
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
So I can't go past this on troubleshooting pki-tomcat.
I've been with this issues for so long that I'm starting to thing if I
just should start a clean new setup and manually migrate things somehow
manually? Everything just looks out of sync, completely broken and I am
getting less hope each time. Been through the docs but the solutions
proposed are not working, I've been trying a couple. There's always some
errors, or it seems that something works, but then you realize it only
worked locally, but was not propagated. (like the dnssec key master).
Don't know where to turn next.
It depends on how many entries you have. Migration in IPA is more meant
from a pure-LDAP solution to IPA. There is currently no easy IPA to IPA
migration, retaining everything as-it-was.
rob
Kind regards,
Ricardo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...