We've had problems with our master IPA server, the issue was the second master-replica
died due to an issue with the hypervisor and we lost access to the first master as the
Let's Encrypt certificates expired.
In the meanwhile we got to renew some certificates but the CA master functionality is
broken and I get errors of not being able to reach CMS.
Ok so then we salvaged the other server, the replica. We were able to bring it up but it
is out of sync with the primary master.
This primary master is having issues. pki-tomcat is malfunctioning, able to start but with
an error "Subsystem unavailable". I always have to use --ignore-service-failures
and --skip-version-check to put the IPA services working.
So our objective now is to remove this primary master from the topology and promote other
server to be DNSSEC key master and CA Master.
First question about CA Master:
To promote a replica to CA master is this all I have to do?
Second question about DNSSEC Key Master:
We disabled the dnssec key master with the command
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Exporting DNSSEC data before uninstallation
ipaserver.plugins.dogtag: ERROR ra.find(): Unable to communicate with CMS (500)
Unexpected error - see /var/log/ipaserver-install.log for details:
CertificateOperationError: Certificate operation cannot be completed: Unable to
communicate with CMS (500)
and querying for dnssec key master:
ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: rmendes(a)DOMAIN.IO
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
# base <dc=domain,dc=io> (default) with scope subtree
# filter: (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))
# requesting: ALL
# search result
result: 0 Success
# numResponses: 1
however if I make the same query on the replica servers, they still return the DNSSEC Key
Master, preventing me to restart dnssec key master on any other server.
How can I manually remove this orphaned reference so I can proceed with dnssec key master
I have backed up the kasp.db.backup generated upon disabling the first master.