Hi Florence,
Let me give more info about our FreeIPA infraestructure. We have 8 servers
in different zones, 2 per zone.
Last year we installed the first two IPAs, one from scratch and the other
its first replica, and both with DNS and CA. CA certificates generated by
IPA itself, no external ones.
Then we replicated them to other two zones, but with DNS capability only
Now we like to move the first ones to another zone, so we created two more
replicas, but this time with CA: "ipa-replica-install --setup-dns
--setup-ca--no-forwarders"
The info you've asked :
Can you check the output of 'ipa server-role-find' to check
which servers
have the CA capability and 'ipa config-show'?
ipa server-role-find shows:
Role name: CA server
Role status: enabled
for all the four masters, the first ones, and the latest ones. The other
four have "Role status: disabled".
ipa config-show shows the same four instances as before on "IPA CA servers:"
Were the replicas created with the option ipa-replica-install [...]
--setup-ca, or did you first create the replica then run ipa-ca-install?
ipa-replica-install --setup-ca
Did you keep the installation log files
(/var/log/ipareplica-install.log
and /var/log/ipareplica-ca-install.log)?
Yes, the CA replicas were installed yesterday. I prefer to not disclose
this logs. Is it OK to send them to you directly?
Did you initially have a CA master that was later decommissioned?
No, the CA master should be the first IPA installed, still running and
working OK.
Thanks!
On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users
wrote:
Hi,
>
> We've created a new replica from our FreeIPA infrastructure, with CA
> capabilities. Now we want it to be the CA renewal master, as it's
written
> here:
>
>
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>
> However, the first step, knowing which is the present master, is
blocking
> us. ldapsearch does not return the info we need:
>
> ldapsearch -D 'cn=Directory Manager' -W -b
> 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int'
> '(ipaConfigString=caRenewalMaster)' dn
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree
> # filter: (ipaConfigString=caRenewalMaster)
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> Neither one of the servers have
"ca.crl.MasterCRL.enableCRLUpdates=true" on
> /etc/pki/pki-tomcat/ca/CS.cfg
>
> Is there any more updated doc about this?
>
> All FreeIPA servers are:
>
> CentOS Linux release 7.5.1804 (Core)
> VERSION: 4.5.4, API_VERSION: 2.228
>
> Thank you
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>
Hi,
This issue is rather unusual, so I am trying to gather as much
information as possible.
Can you check the output of 'ipa server-role-find' to check
which
servers have the CA capability and 'ipa config-show'?
Were the replicas created with the option ipa-replica-install [...]
> --setup-ca, or did you first create the replica then run ipa-ca-install?
Did you keep the installation log files
(/var/log/ipareplica-install.log
> and /var/log/ipareplica-ca-install.log)?
Did you initially have a CA master that was later decommissioned?
> Flo
--
Carlos Fernández Manteiga
BitBan Technologies S.L.
E-mail: cfernandez(a)bitban.com
Tel.: (+34) 91 433 76 83
C/ Princesa, 2, 6ª-1
28008 Madrid