After several weeks I am moving back to this project.
I am reading the "Howto/Promote CA to Renewal and CRL Master" documentation.
Background: When I added the Linux 7 / Ipa v4 system (ipa3) I used an export from the
original ipa v3 (ipa1) as the input to an ipa-create-replica command.
When I execute the command for ipa version < 4.0 to verify certificate master on all
three servers (ipa1 and ipa2 are v3.3, and ipa3 is v4.0)
$ getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep
post-save
the response I get
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
is the same on all three servers.
Several Questions:
Is this as expected or does it indicate a problem?
Since ipa3 is NOT the first master, what is the process to make an ipa v4 server the first
master?
Is this done before unconfiguring master status on the ipa v3 servers or after?
Do I unconfigure master renewal on ipa1 and unconfigure clone renewal on ipa2?
What to do about the same information on ipa3 (the ipa v4 server) at this point?
I have no lab in which to try this update, so I am making these changes across a
production datacenter and I am EXCEEEDINGLY wary of breaking everything.
Advice appreciated.
Steven Auerbach
ASSISTANT DIRECTOR OF INFORMATION SYSTEMS
INFORMATION TECHNOLOGY & SECURITY
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
www.flbog.edu
-----Original Message-----
From: Florence Blanc-Renaud <flo(a)redhat.com>
Sent: Tuesday, August 27, 2019 9:20 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
Subject: Re: [Freeipa-users] CA Master Confusion
On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
As I work through understanding the current state of my CA mastering
in this realm I am getting results I do not understand from these ipa commands (on the
v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
On the v4.6.4 replica (ipa<3>):
$ sudo ipa config-show |grep 'CA renewal master'
[sudo] password for <user>:
$
$
On the v3.0.0 (ipa<1>):
$ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local'
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for
<user>:
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope
subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
# requesting: dn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Hi,
the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA
4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not surprised
that the search does not return anything.
When the 3.0 server was installed, the attribute did not exist yet. When the 4.x replica
was installed, the attribute was not added since the new replica wasn't CA master.
As the attribute is not set at all, the ipa config-show command (internally using the same
ldapsearch you did) is unable to find a CA master.
If you want to move the CA master role to ipa3, just follow the steps in [1], making sure
to apply the steps for the corresponding IPA version.
Also please note that we do not recommend using versions 3.x and 4.x together over a long
period of time. This is completely OK when you want to migrate but once you have ensured
all the services are properly working, the 3.x master should be decommissioned. Please see
[2].
HTH,
flo
[1]
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fre...
[2]
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess....
Neither tells me anything. Is it possible that the original installation never had a CA
master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4
(ipa<3>) tells me:
$ sudo ipa server-role-find --role 'CA server'
[sudo] password for <user>:
----------------------
3 server roles matched
----------------------
Server name: ipa<2>.mydomain.local
Role name: CA server
Role status: absent
Server name: ipa<1>.mydomain.local
Role name: CA server
Role status: enabled
Server name: ipa<3>.mydomain.local
Role name: CA server
Role status: absent
----------------------------
Number of entries returned 3
----------------------------
And on the v3.0.0 (ipa<1>) I get:
$ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local'
'(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
# filter: (&(cn=CA)(ipaConfigString=caServer))
# requesting: dn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I know I am missing something basic and fundamental here. Is there a CA Master or not?
If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
The way forward is not clear.
-Steven Auerbach