On 06/26/2018 03:08 PM, Carlos Fernández Manteiga via FreeIPA-users wrote:
Hi,
Sorry about no replying to this, we cannot try it till now.
We've followed the doc, and it seems to work ok, certficates can be
issued without problems, so we hope that autorenewal works too.
But we have a little problem, if we try to access to the certificates
section of a CA-less replica, it tries to connect to the old master, giving:
IPA 4301: CertificateOperationError: Unable to communicate with CMS
([Errno -2] Name or service not known)
The old master cannot be resolved anymore, because it was removed from
the topology.
We've tried to restart all services, but it seems to be cached somewhere.
Hi,
can you check in /etc/ipa/default.conf if ca_host points to the removed
master? If it is the case, replace ca_host with your new renewal master.
Flo
Thanks
On Wed, May 30, 2018 at 6:26 PM Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:
On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users
wrote:
> Hi Florence,
>
> Let me give more info about our FreeIPA infraestructure. We have
8 servers
> in different zones, 2 per zone.
>
> Last year we installed the first two IPAs, one from scratch and
the other
> its first replica, and both with DNS and CA. CA certificates
generated by
> IPA itself, no external ones.
> Then we replicated them to other two zones, but with DNS
capability only
>
> Now we like to move the first ones to another zone, so we created
two more
> replicas, but this time with CA: "ipa-replica-install --setup-dns
> --setup-ca--no-forwarders"
>
> The info you've asked :
>
>> Can you check the output of 'ipa server-role-find' to check
which servers
> have the CA capability and 'ipa config-show'?
>
> ipa server-role-find shows:
>
> Role name: CA server
> Role status: enabled
>
> for all the four masters, the first ones, and the latest ones.
The other
> four have "Role status: disabled".
>
> ipa config-show shows the same four instances as before on "IPA
CA servers:"
>
>> Were the replicas created with the option ipa-replica-install [...]
> --setup-ca, or did you first create the replica then run
ipa-ca-install?
>
> ipa-replica-install --setup-ca
>
>> Did you keep the installation log files
(/var/log/ipareplica-install.log
> and /var/log/ipareplica-ca-install.log)?
>
> Yes, the CA replicas were installed yesterday. I prefer to not
disclose
> this logs. Is it OK to send them to you directly?
>
>> Did you initially have a CA master that was later decommissioned?
>
> No, the CA master should be the first IPA installed, still
running and
> working OK.
>
> Thanks!
>
> On Tue, May 29, 2018 at 3:29 PM Florence Blanc-Renaud
<f...@redhat.com <mailto:f...@redhat.com>>
> wrote:
>
>> On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via
FreeIPA-users wrote:
>>> Hi,
>>>
>>> We've created a new replica from our FreeIPA infrastructure,
with CA
>>> capabilities. Now we want it to be the CA renewal master, as it's
> written
>>> here:
>>>
>>>
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>>
>>> However, the first step, knowing which is the present master, is
> blocking
>>> us. ldapsearch does not return the info we need:
>>>
>>> ldapsearch -D 'cn=Directory Manager' -W -b
>>> 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int'
>>> '(ipaConfigString=caRenewalMaster)' dn
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope
subtree
>>> # filter: (ipaConfigString=caRenewalMaster)
>>> # requesting: dn
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 1
>>>
>>> Neither one of the servers have
> "ca.crl.MasterCRL.enableCRLUpdates=true" on
>>> /etc/pki/pki-tomcat/ca/CS.cfg
>>>
>>> Is there any more updated doc about this?
>>>
>>> All FreeIPA servers are:
>>>
>>> CentOS Linux release 7.5.1804 (Core)
>>> VERSION: 4.5.4, API_VERSION: 2.228
>>>
>>> Thank you
>>> _______________________________________________
>>> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5BWQC2VTIXEMWARWPJA5QSKRKIVRGKXL/
>>>
>
>> Hi,
>
>> This issue is rather unusual, so I am trying to gather as much
>> information as possible.
>
>> Can you check the output of 'ipa server-role-find' to check which
>> servers have the CA capability and 'ipa config-show'?
>
>> Were the replicas created with the option ipa-replica-install [...]
>> --setup-ca, or did you first create the replica then run
ipa-ca-install?
>> Did you keep the installation log files
(/var/log/ipareplica-install.log
>> and /var/log/ipareplica-ca-install.log)?
>
>> Did you initially have a CA master that was later decommissioned?
>> Flo
>
>
>
Hi,
I had a quick look at the code for changing the renewal master, and the
command succeeds even if you do not have any server currently marked as
CA renewal master.
Re. the CRL generation master, you need to make sure that your new CA
renewal master is the only one with enableCRLCache=true and
enableCRLUpdates=true, and with the RewriteRule disabled. All the other
masters need to have enableCRLCache=false, enableCRLUpdates=false and
the RewriteRule enabled.
HTH,
Flo
--
Carlos Fernández Manteiga
*BitBan* Technologies S.L.
E-mail: cfernan...@bitban.com <mailto:cfernan...@bitban.com>
Tel.: (+34) 91 433 76 83
C/ Princesa, 2, 6ª-1
28008 Madrid
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WBCCBOY5HOVQ4QFXIDGS4KX67UOQLVAV/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/56A7O4AEOOSVIX6WCSSJMTXZJWPG4UXN/
