Rob Morin via FreeIPA-users wrote:
> The master is gone, has been for a year, the server exists, but ipa was 
> uninstalled with ip-server-install --uninstall command... so i only have this 
> replica, and i assume that re-installing it on the old server would mess 
> stuff up?

Please don't try to re-install it. This would also fail and probably
just make matters worse.

Do you have /root/cacert.p12 on that original master?

If so run:

# pk12util -l /root/cacert.p12 |grep "Not After"

If the certs aren't all expired it may be easier to get something
restored (time is fungible). The first value is the most important one.

We've never had to do this but the dogtag team has a documented way to
install a CA using an existing key. It wasn't exactly meant for this
case but it could still work.

I haven't worked out in my head how things would actually work or tried
this myself but you have the slightest sliver of hope with this.

Even if the CA can be stood back up there could still be hurdles to

But this goes nowhere if you don't have the root CA cert so see if you
have that.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to