Hello,
On 07/11/2014 08:17 AM, James wrote:
I installed IPA on host A, did a replica prepare, and then installed
it on host B.
Running ipa-replica-prepare on B yield this error:
A selfsign CA backend can only prepare on the original master
This error doesn't seem to be in the current git master anymore. Has
this limitation been removed?
Not really: the selfsign functionality itself was removed.
See: http://www.freeipa.org/page/V3/Drop_selfsign_functionality
Can someone explain if you can "ipa-replica-prepare" from any new
master, and starting at what version please? Assume I installed the
first host with --selfsign.
Unfortunately, you can't.
Self-signed CAs were not capable of replication, and replica files need
to be created on a host with CA (unless using the CA-less feature in IPA
3.2+). So, in a selfsign install, only the original master could create
replicas.
I'm particularly interested in understanding why or why not you can do
this (or couldn't do this).
Selfsign was was never suitable for production. It was useful for
developers while Dogtag wasn't ready yet, but it never got beyond being
a proof of concept.
Unfortunately it had a very tempting name, and we didn't communicate
enough that it's something you don't want to use.
Apologies for that.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
