I'm confused with my freeipa setup. Some details on the installation:

- I use freeipa on only one server since 2012 (basic install with a
self-signed certificate ... KO from then 2014).
- meanwhile (a few years) I made a migration to switch to a version of
freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. (the
old freeipav3 server has been destroyed for a long time)
- at this time CA autorithy been lost ... but hey I do not use this
feature in freeipa v4, I'm not too worried.
- I mainly use the ldap (user, group, host, hbac, automount etc), and
especially kerberos, and also winsync (trust AD etc ...)
- I never interressed at the party certificate.
- The HTTP and LDAP certificates of the server is signed via an external
authority not managed by freeipa.

Only here I wanted to add a 2nd server to replicate my single server
freeipa, to secure the system. And here the disaster begins for me ...
because the certificates block the process in all directions.

I'm considering several solutions:

- Solution 1 (my favorite if it's possible), that I started to try to do ...

remove the CA and restart from scratch on my master server before
starting to replicate.
I made a:
ipa-ca-install ----> KO
CA is already installed on this host

pkidestroy -s CA -i pki-tomcat
ipa-getcert stop-tracking -i ******** (certificate expired for several

ipa-ca-install ----> KO
Run connection check to master
Connection check OK

Your system may be partly configured.
Run / usr / sbin / ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
HTTPError: 404 Client Error: Not Found

I tried enorment order I think have put more basard than anything else
that said ... :'(

how i can erase all traces of CA autority and reinstall with
ipa-ca-install a new autority and leave with a correct installation ?

- Solution 2
Add a replica server without CA autority and pass it master and install
a new CA autority! it's possible ?

- solution 3
make a new freeipa server from 0
- ipa-server-install
- import my ~ 600 users and ~ 50 hosts (service)
- import my rules HBAC
- import my sudo rules
- import the keys kerberos
... I'm forgetting some things? and above all, is there a procedure to
do all this?

It seems much more difficult, especially since it will certainly be
necessary to plan production stops for my services:

Which solution do you recommend?

Thank you in advance for all the help you will give me

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to