Hello, I'm confused with my freeipa setup. Some details on the installation:
- I use freeipa on only one server since 2012 (basic install with a self-signed certificate ... KO from then 2014). - meanwhile (a few years) I made a migration to switch to a version of freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. (the old freeipav3 server has been destroyed for a long time) - at this time CA autorithy been lost ... but hey I do not use this feature in freeipa v4, I'm not too worried. - I mainly use the ldap (user, group, host, hbac, automount etc), and especially kerberos, and also winsync (trust AD etc ...) - I never interressed at the party certificate. - The HTTP and LDAP certificates of the server is signed via an external authority not managed by freeipa. Only here I wanted to add a 2nd server to replicate my single server freeipa, to secure the system. And here the disaster begins for me ... because the certificates block the process in all directions. I'm considering several solutions: - Solution 1 (my favorite if it's possible), that I started to try to do ... remove the CA and restart from scratch on my master server before starting to replicate. I made a: ipa-ca-install ----> KO CA is already installed on this host THEN pkidestroy -s CA -i pki-tomcat ipa-getcert stop-tracking -i ******** (certificate expired for several years) ipa-ca-install ----> KO '' Run connection check to master Connection check OK Your system may be partly configured. Run / usr / sbin / ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-ca-install.log for details: HTTPError: 404 Client Error: Not Found '' I tried enorment order I think have put more basard than anything else that said ... :'( how i can erase all traces of CA autority and reinstall with ipa-ca-install a new autority and leave with a correct installation ? - Solution 2 Add a replica server without CA autority and pass it master and install a new CA autority! it's possible ? - solution 3 make a new freeipa server from 0 - ipa-server-install - import my ~ 600 users and ~ 50 hosts (service) - import my rules HBAC - import my sudo rules - import the keys kerberos ... I'm forgetting some things? and above all, is there a procedure to do all this? It seems much more difficult, especially since it will certainly be necessary to plan production stops for my services: Which solution do you recommend? Thank you in advance for all the help you will give me Pierre _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org