Ricardo Mendes via FreeIPA-users wrote: > Hello again Rob, > > I really would like to express my appreciation for the feedback you've > been giving and trying to help man really amazing! > > I have detailed some of the issues I'm going through now here: > https://lists.fedoraproject.org/archives/list/[email protected]/thread/I5W7WMOGUUWWBI7FLUQWJORJYL6QS6AT/ > > > But basically, I disabled DNSSEC Master on the first server (last lines > of the output on that link) that went reasonably well apart from the > can't connect to CMS error. So then when I tried to setup the DNSSEC on > the replica, it says there's already a DNSSEC key master. Basically > anything that's done is out of sync.
See https://www.freeipa.org/page/Howto/DNSSEC#Migrate_DNSSEC_master_to_another_IPA_server > One thing I did actually was to run “ipa-cacert-manage renew > --self-signed” on the CA Master as I was looking to return to a more... > comfortable/default configuration and also I was looking to see if maybe > this would fix the pki-tomcat issue. It did not, but the command ran OK. > but I think the other servers don't know about it. Uhh. Your CA was already self-signed wasn't it? All you did before was replace the HTTP and LDAP certs right? > I also tried to setup another master. > > First installed ipa-client, output here: https://pastebin.com/4y8ipupc > has some errors. What is the server idi3? It reports as an IPA master but it wasn't verified. > Then when installing replica, got the following: > https://pastebin.com/JXVqSmLs > > So it fails with wrong credentials BUT that server (id01) is the server > that is accepting the correct DM password, and so I'm not being able to > create another replica. It isn't the DM password that is bad it's something else. Look at the log file as the output suggests, it may have additional details. > - If I removed the references to CA Master on the replica (id01) and for > the dnssec key master manually, deleting references, could I then re-add > that role to other replicas? You have to have a CA to clone from. For DNSSEC yes, see the link above. > - Is there any files I can copy from the replica that is working (and > accepting the correct DM password) to the first master, to restore some > functionality? Or even someway fix the pki-tomcat connection to LDAP? It is likely not something that straightforward. > Regarding the first master with the failing CMS, I've also been through > Florence's blog, particularly this article: > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > > > - the CS.cfg file seems normal with expected values > - the "subsystemCert cert-pki-ca" is present > - the private key can be read using the password > - certmap.conf looks all correct > - running the command "ldapsearch -LLL -D 'cn=directory manager' -W -b > uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso" > fails as DM password is rejected. But I am 100% on the DM password and > the DM password works on the replica. Then perhaps it really is different. The DM password isn't replicated. You might try copying the hash from the working to the non-working master. See https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html And then follow https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > So I can't go past this on troubleshooting pki-tomcat. > > I've been with this issues for so long that I'm starting to thing if I > just should start a clean new setup and manually migrate things somehow > manually? Everything just looks out of sync, completely broken and I am > getting less hope each time. Been through the docs but the solutions > proposed are not working, I've been trying a couple. There's always some > errors, or it seems that something works, but then you realize it only > worked locally, but was not propagated. (like the dnssec key master). > Don't know where to turn next. It depends on how many entries you have. Migration in IPA is more meant from a pure-LDAP solution to IPA. There is currently no easy IPA to IPA migration, retaining everything as-it-was. rob > > Kind regards, > Ricardo > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
