We have a nice simple setup, a single master running 3.0.0-51.el6.centos and as far as I can tell we're in very good shape, all certs checkout ok, being monitored, nothing expired.
Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X Carefully follow all the instructions here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index> Everything goes great, I note that CS.cfg on CentOS lives under /etc/pki-ca not /var/lib, ok no problem, great, great and then: I get to this part of the document: 6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on the new master CA server. The file is generated based on the time interval defined in the /etc/pki/pki- tomcat/ca/CS.cfg file using the ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 minutes (4 hours). If the file exists, the new master CA server is configured correctly, and you can safely dismiss the previous CA master system. And after messing with CS.cfg update interval settings, rebooting etc, I still get no MasterCRL.bin on the new host. Any clues as to what I might be doing wrong? Really hard to say without more info I'm sure. Can you tell me what to check on the original master before I get started with all the upgrade steps? I have rolled back my virtual machine snapshot so I'm back to "everything good" state, I think :) On the original master, before upgrade I have: -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 MasterCRL-20180205-210000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 MasterCRL-20180206-010000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 MasterCRL-20180206-050000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 MasterCRL-20180206-090000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 MasterCRL-20180206-130000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 MasterCRL-20180206-170000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 MasterCRL-20180206-210000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 MasterCRL-20180207-010000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 MasterCRL-20180207-073614.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 MasterCRL-20180207-090000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 MasterCRL-20180207-130000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 MasterCRL-20180207-170000.der lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 . That looks all correct right? Indicated the master is doing what it should re CRL's etc. I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok. What log should I look at to see some indication that a transfer or like, "get the CRL list to the new node" is failing? Thanks !! <http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq> SYSTEM ADMINISTRATOR III (646) 338-8905 <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
