On 08/03/2017 08:34 AM, Fraser Tweedale wrote:

Mark, that's great news; I'm glad you were able to resolve the

Everyone gets the tunnel vision sometimes :)

I wish you a successful rollout to production.


Actually, let me update you on this. I finally got a chance to speak to my colleague and he gave me information that wasn't included in his original email to me. The issue was a lot bigger than pulling the certs out. I'll try to keep this clear for anyone else in the same situation I found myself in.

IPA0 (the master) was installed and setup in mid-2016 sometime. It started out as freeipa v4.1. One of the things I did when getting involved with getting a replica up and running for redundancy is to update the entire server. It updated to the most recent version for CentOS 7.3, which is v4.4. What didn't happen at that point was to increase the DOMAIN LEVEL to get the features available for v4.4. IPA0 stayed at Domain Level 0. The replica I installed was on a new VM and was installed as v4.4.

It wasn't until my colleague dug up some google result about increasing the domain level when doing an upgrade of freeipa that we found this issue. When he upped the Domain level to 1, then on IPA1 ran 'ipa-client-install' and 'ipa-replica-install --setup-ca' did everything work. He only noticed that when he tried 'ipa-replica-install --setup-ca' on IPA1, the installer barked about installing the client first THEN upgrading to a replica.

I didn't install the client when building IPA1, which may have contributed to the problems. If I had, the replica /probably/ would have had the CA setup just fine, just only with the v4.1 features even if the package was v4.4 on both servers because the domain level wouldn't have changed.

Unfortunately, the documentation is so jacked up and sparse, it took two of us two weeks plus to figure all this out.

I hope this helps someone else in the future.

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to