Jim Richard via FreeIPA-users wrote: > Thanks Rob, > > Correct, did a clean install on CentOS 7, and then on my CentOS 6 unit > applied the schema update and then replica prepare, scp'd the file over and > then replica install on the new CentOS 7 server. > Plus all the other steps in between of course. > > Let me make sure I understand correctly though. > If I follow the procedure: 8.2. MIGRATING IDENTITY MANAGEMENT FROM RED HAT > ENTERPRISE LINUX 6 TO VERSION 7 > should I expect the same CRL list over on my new CentOS 7/FreeIPA 4 server?
If you disabled CRL generation in the RHEL 6 master and enabled it on the RHEL 7 master according to the docs then yes, you should see a CRL being generated. > > Is this something I even need to worry about? > I saw a comment from you from a while back where you said somehting to the > effect that CRL's are not super urgent if you're not actually using them. > But I may not have understood that correctly. > No though, I am not making use of the FreeIPA CRL in any other way other than > how FreeIPA system uses it. It's not _great_ that the CRL isn't there but it also isn't a show stopper (for now). I'd recommend running through the documentation again and confirming that the RHEL 6 CA is no longer generating the CRL. Note that the reason we recommend only one do this is that due to timing it is possible that two CAs in the same infrastructure could generate different CRLs, both of which would be considered valid (properly signed, etc). rob > > -Jim > > > >> On Feb 7, 2018, at 5:16 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >> >> Jim Richard via FreeIPA-users wrote: >>> We have a nice simple setup, a single master running 3.0.0-51.el6.centos >>> and as far as I can tell we're in very good shape, all certs checkout >>> ok, being monitored, nothing expired. >>> >>> Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X >>> >>> Carefully follow all the instructions here: >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index >>> >>> Everything goes great, I note that CS.cfg on CentOS lives under >>> /etc/pki-ca not /var/lib, ok no problem, great, great and then: >>> >>> I get to this part of the document: >>> >>> 6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly >>> Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on >>> the new master CA server. >>> The file is generated based on the time interval defined in the >>> /etc/pki/pki- tomcat/ca/CS.cfg file using the >>> ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 >>> minutes (4 hours). >>> If the file exists, the new master CA server is configured correctly, >>> and you can safely dismiss the previous CA master system. >>> >>> And after messing with CS.cfg update interval settings, rebooting etc, I >>> still get no MasterCRL.bin on the new host. >>> >>> Any clues as to what I might be doing wrong? >>> >>> Really hard to say without more info I'm sure. >>> >>> Can you tell me what to check on the original master before I get >>> started with all the upgrade steps? >>> >>> I have rolled back my virtual machine snapshot so I'm back to >>> "everything good" state, I think :) >> >> I think you need to define what you mean by "upgrade". Did you actually >> upgrade in-place from RHEL 6 to 7? If so that is not supported. >> >> The right producer is to create a new replica on RHEL 7. >> >> rob >> >>> >>> On the original master, before upgrade I have: >>> >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 >>> MasterCRL-20180205-210000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 >>> MasterCRL-20180206-010000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 >>> MasterCRL-20180206-050000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 >>> MasterCRL-20180206-090000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 >>> MasterCRL-20180206-130000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 >>> MasterCRL-20180206-170000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 >>> MasterCRL-20180206-210000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 >>> MasterCRL-20180207-010000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 >>> MasterCRL-20180207-073614.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 >>> MasterCRL-20180207-090000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 >>> MasterCRL-20180207-130000.der >>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 >>> MasterCRL-20180207-170000.der >>> lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> >>> /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der >>> drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 . >>> >>> That looks all correct right? Indicated the master is doing what it >>> should re CRL's etc. >>> >>> I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root >>> pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok. >>> >>> What log should I look at to see some indication that a transfer or >>> like, "get the CRL list to the new node" is failing? >>> >>> >>> Thanks !! >>> >>> >>> >>> >>> >>> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/> >>> Jim Richard >>> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> >>> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> >>> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq> >>> SYSTEM ADMINISTRATOR III >>> /(646) 338-8905 / >>> >>> >>> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP><http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/><http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>PlaceIQ:Landmark >>> by PlaceIQ >>> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/> >>> >>> >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
