I found a /root/cacert.p12 file on both of the original servers. Is there a way to tell if one of them is the right one? They're not identical. I doubt they're from the original ca but it might be worth a look.

If not, then I guess I'm back to focusing on my other question about logins over ssh versus console & GDM and moving forward with a completely new installation while trying to retain as much data as possible.


Thanks for your help on this, guys.


Bret


On 02/21/2018 03:47 PM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
If this is the correct search, then no. It's gone.

# ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W
Enter LDAP Password:

# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
It wouldn't matter much anyway because the private keys aren't stored in
LDAP. What you'd need is the cacert.p12 generated by the original
installation.

The dogtag team has some instructions for standing up a new CA with just
the certs but the IPA team hasn't had time to evaluate them at all,
http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_Certificates_using_PKCS12_File

This seems to assume you have an existing, working server as well.

But basically if you don't have the original CA keys anywhere you are
completely dead in the water. If you have them there is a remote chance
you could stand up a replacement CA but:

- we can't help you do it because we've never done it
- we don't know what sort of dragons would be lurking (revocations would
blow up, for example, because the certs aren't there because you don't
have o=ipaca).

rob


On 02/21/2018 11:45 AM, Jochen Hein wrote:
Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

I may be going about this in the hardest way possible, so let me stop
and roll everything back to my root need:

I have two IPA servers which manage our infrastructure. We used to
have three, but a catastrophic failure on one led to its total
loss. And it was our CA.

So now we have no CA -- is there a way to promote an existing system
to take over? I realize it may well mean distributing a new root CA
cert to everyone, but that seems less painful now than trying to set
up a brand new cluster of servers and try to port our data over to
them...
I'd start looking for the ca data in LDAP. If you still have it, you
might be lucky - if not there's no way to recreate the data (beside from
a backup of the failed server - which I guess doesn't exist any longer).

Do you have a tree o=ipaca in your LDAP?

Jochen

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to