Labanowski Pierre via FreeIPA-users wrote:
> Hello,
> I'm confused with my freeipa setup. Some details on the installation:
> - I use freeipa on only one server since 2012 (basic install with a
> self-signed certificate ... KO from then 2014).
> - meanwhile (a few years) I made a migration to switch to a version of
> freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. (the
> old freeipav3 server has been destroyed for a long time)
> - at this time CA autorithy been lost ... but hey I do not use this
> feature in freeipa v4, I'm not too worried.
> - I mainly use the ldap (user, group, host, hbac, automount etc), and
> especially kerberos, and also winsync (trust AD etc ...)
> - I never interressed at the party certificate.
> - The HTTP and LDAP certificates of the server is signed via an external
> authority not managed by freeipa.
> Only here I wanted to add a 2nd server to replicate my single server
> freeipa, to secure the system. And here the disaster begins for me ...
> because the certificates block the process in all directions.
> I'm considering several solutions:
> - Solution 1 (my favorite if it's possible), that I started to try to do ...
> remove the CA and restart from scratch on my master server before
> starting to replicate.
> I made a:
> ipa-ca-install ----> KO
> CA is already installed on this host
> pkidestroy -s CA -i pki-tomcat
> ipa-getcert stop-tracking -i ******** (certificate expired for several
> years)
> ipa-ca-install ----> KO
> ''
> Run connection check to master
> Connection check OK
> Your system may be partly configured.
> Run / usr / sbin / ipa-server-install --uninstall to clean up.
> Unexpected error - see /var/log/ipareplica-ca-install.log for details:
> HTTPError: 404 Client Error: Not Found
> ''
> I tried enorment order I think have put more basard than anything else
> that said ... :'(
> how i can erase all traces of CA autority and reinstall with
> ipa-ca-install a new autority and leave with a correct installation ?


Chances are excellent that your original CA is now gone permanently
given you ran pkidestroy. If you still have the cacert.p12 you at least
have the original signing cert but given it was generated 6 years ago
and all the subsystem certs are long-expired it would be an extra
challenge to try to setup a replacement (for which there is a procedure
defined by dogtag but we've never tried it).

> - Solution 2
> Add a replica server without CA autority and pass it master and install
> a new CA autority! it's possible ?


> - solution 3
> make a new freeipa server from 0
> - ipa-server-install
> - import my ~ 600 users and ~ 50 hosts (service)
> - import my rules HBAC
> - import my sudo rules
> - import the keys kerberos
> ... I'm forgetting some things? and above all, is there a procedure to
> do all this?
> It seems much more difficult, especially since it will certainly be
> necessary to plan production stops for my services:

IPA to IPA migration is theoretically possible but not something that is
supported at the moment (we just never got around to working out all the
details). It would involve exporting to ldif the current data, massaging
it, and importing it into the new master. There be dragons.

solution 4

Obtain an SSL certificate for the HTTP and LDAP service from the same
place you got the certificates for your existing master for your new
replica and use the --dirsrv-cert-file and --http-cert-file options to
ipa-replica-install to pass them in. See the ipa-replica-install(1) man
page for fuller details.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to