Thanks Rob, Correct, did a clean install on CentOS 7, and then on my CentOS 6 unit applied the schema update and then replica prepare, scp'd the file over and then replica install on the new CentOS 7 server. Plus all the other steps in between of course.
Let me make sure I understand correctly though. If I follow the procedure: 8.2. MIGRATING IDENTITY MANAGEMENT FROM RED HAT ENTERPRISE LINUX 6 TO VERSION 7 should I expect the same CRL list over on my new CentOS 7/FreeIPA 4 server? Is this something I even need to worry about? I saw a comment from you from a while back where you said somehting to the effect that CRL's are not super urgent if you're not actually using them. But I may not have understood that correctly. No though, I am not making use of the FreeIPA CRL in any other way other than how FreeIPA system uses it. -Jim > On Feb 7, 2018, at 5:16 PM, Rob Crittenden <[email protected]> wrote: > > Jim Richard via FreeIPA-users wrote: >> We have a nice simple setup, a single master running 3.0.0-51.el6.centos >> and as far as I can tell we're in very good shape, all certs checkout >> ok, being monitored, nothing expired. >> >> Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X >> >> Carefully follow all the instructions here: >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index >> >> Everything goes great, I note that CS.cfg on CentOS lives under >> /etc/pki-ca not /var/lib, ok no problem, great, great and then: >> >> I get to this part of the document: >> >> 6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly >> Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on >> the new master CA server. >> The file is generated based on the time interval defined in the >> /etc/pki/pki- tomcat/ca/CS.cfg file using the >> ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 >> minutes (4 hours). >> If the file exists, the new master CA server is configured correctly, >> and you can safely dismiss the previous CA master system. >> >> And after messing with CS.cfg update interval settings, rebooting etc, I >> still get no MasterCRL.bin on the new host. >> >> Any clues as to what I might be doing wrong? >> >> Really hard to say without more info I'm sure. >> >> Can you tell me what to check on the original master before I get >> started with all the upgrade steps? >> >> I have rolled back my virtual machine snapshot so I'm back to >> "everything good" state, I think :) > > I think you need to define what you mean by "upgrade". Did you actually > upgrade in-place from RHEL 6 to 7? If so that is not supported. > > The right producer is to create a new replica on RHEL 7. > > rob > >> >> On the original master, before upgrade I have: >> >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 >> MasterCRL-20180205-210000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 >> MasterCRL-20180206-010000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 >> MasterCRL-20180206-050000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 >> MasterCRL-20180206-090000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 >> MasterCRL-20180206-130000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 >> MasterCRL-20180206-170000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 >> MasterCRL-20180206-210000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 >> MasterCRL-20180207-010000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 >> MasterCRL-20180207-073614.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 >> MasterCRL-20180207-090000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 >> MasterCRL-20180207-130000.der >> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 >> MasterCRL-20180207-170000.der >> lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> >> /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der >> drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 . >> >> That looks all correct right? Indicated the master is doing what it >> should re CRL's etc. >> >> I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root >> pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok. >> >> What log should I look at to see some indication that a transfer or >> like, "get the CRL list to the new node" is failing? >> >> >> Thanks !! >> >> >> >> >> >> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/> >> Jim Richard >> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> >> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> >> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq> >> SYSTEM ADMINISTRATOR III >> /(646) 338-8905 / >> >> >> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP><http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/><http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>PlaceIQ:Landmark >> by PlaceIQ >> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/> >> >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
