Ricardo Mendes wrote: > Hi Rob, > > Thank you for all your help so far I haven't write back before, I've > been swamped. > Ok so I was going kinda crazy about the lost access to ldap. In the > meanwhile we got developments on the server that had the freeipa replica > and this is back up. > So now I have this: > > - Master is malfunctioning. pki-tomcat can't connect to the CMS as I had > described before this server is struggling. > - Replica is working fine. I can access to all services and everything > seems operational apart from what would need the CA Master. > > Given this I was thinking that maybe the best scenario would be to > promote the replica to master CA and completely decommission the failing > server. I was going through this article, is this all I need to make the > Replica the CA Master? > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/moving-crl-gen-old
You need to move the CRL generator and more importantly, set the CA renewal master. Also check DNA ranges, and a few more things IIRC. I think it's all in the docs. I'd also stand up a 3rd master just in case. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
