Dear Rob,
Earlier you commented:
You can run ipa-ca-install at any time to add a CA to an existing master.
Indeed, however if I may suggest it might be useful to also have an alias
ipa-ca-install-replica
to clearly indicate it is safe to use this command and it will *not* end up replacing your current (possibly only) active CA. Experienced admins may know this couldn't happen, but others may not. I read and searched for examples first, but one tends to be rather cautious especially once you realise you only have a single CA installed.
Alas in my case I see
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
yet
ipa server-role-find --role "CA server"
indicates for this server it has status absent, which ties up with other warnings about there only being one.
Server name: freeipa02... Role name: CA server Role status: absent
I've not worked out why yet. Wondered if it might be installed but not enabled, and if so, would it have up to date information. Puzzled.
Dear Satish,
All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in...
Thanks and sorry to hear about the trouble you experienced, clearly I would like to avoid this happening here too.
When I installed the FreeIPA servers a few years' ago I honestly didn't realise the CA hadn't been replicated along with everything else. Then in a newer version I happened to notice the warning via the web interface, only one CA server, although it might be useful to also include how to fix such an omission with the warning.
As soon as I (and more experienced experts reading) can work out how to get CA replication operational in this case, I will sleep easier. I have already noticed the significant impact to services when freeipa01, our complete server, is even briefly down, which really wasn't my intention.
Thanks to all.
Best wishes
Stuart
Stuart McRobert wrote:
Dear Rob,
Earlier you commented:
You can run ipa-ca-install at any time to add a CA to an existing master.
Indeed, however if I may suggest it might be useful to also have an alias
ipa-ca-install-replica
to clearly indicate it is safe to use this command and it will *not* end up replacing your current (possibly only) active CA. Experienced admins may know this couldn't happen, but others may not. I read and searched for examples first, but one tends to be rather cautious especially once you realise you only have a single CA installed.
Well, all IPA masters are equals more or less. It would be sort of a stigma to mark one as a replica forever, for the only reason that it wasn't installed first. This would be particularly confusing if the first master was removed.
Alas in my case I see
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
yet
ipa server-role-find --role "CA server"
indicates for this server it has status absent, which ties up with other warnings about there only being one.
It looks for the existence of /etc/pki/pki-tomcat/ca/CS.cfg.
Server name: freeipa02... Role name: CA server Role status: absent
I've not worked out why yet. Wondered if it might be installed but not enabled, and if so, would it have up to date information. Puzzled.
My guess is someone tried to install a CA at some point in the past and it failed and they just left it. The installer is not idempotent and there is no CA-specific uninstall so the only way around it is to fully uninstall the master and try again.
Dear Satish,
All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in...
Thanks and sorry to hear about the trouble you experienced, clearly I would like to avoid this happening here too.
When I installed the FreeIPA servers a few years' ago I honestly didn't realise the CA hadn't been replicated along with everything else. Then in a newer version I happened to notice the warning via the web interface, only one CA server, although it might be useful to also include how to fix such an omission with the warning.
As soon as I (and more experienced experts reading) can work out how to get CA replication operational in this case, I will sleep easier. I have already noticed the significant impact to services when freeipa01, our complete server, is even briefly down, which really wasn't my intention.
Thanks to all.
Best wishes
Stuart
freeipa-users@lists.fedorahosted.org