[Freeipa-users] Re: backup / restore

[Frederic Ayrault via FreeIPA-users]

Le 17/10/2023 à 17:23, Rob Crittenden a écrit :
So if I've followed this thread correctly, what you're doing is:
- Taking replica ipa3? and forcibly disconnecting it from an existing
IPA installation

This is just because my IPA is in production so I removed ipa3 for the tests

- Trying to install a CA on it

that's right

Where does ipa4 come in? It's a replica if ipa3?

yes ipa4 is a replica of ipa3 and I used it for the ipa-replica-install 
to reinstall ipa3

I was not able to remove ipa3 from ipa2 (a production replica)

this is another "creative" procedure

And when try to start it manually ( systemctl start
pki-tomcatd@pki-tomcat.service ), I get errors
SEVERE: Servlet.service() for servlet [caGetStatus] in context with
path [/ca] threw exception
java.io.IOException: CS server is not ready to serve.
You need to lookin /var/log/pki/pki-tomcat/ca/debug<perhaps-date>

I will check that


You need to find in that log the last time the CA started and work down
from there to find an error, or errors. The usual bottom-up approach
won't work because the CA is persistent in trying to start and will
often move past errors that may be transient.

certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
CNRS2-Standard - CNRS                                        C,,
LIX.POLYTECHNIQUE.FR IPA CA                                  CT,C,C
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
CNRS2 - CNRS                                                 ,,

I tried to remove CNRS certs but then ipa-ca-install fails ( IndexError:
list index out of range )
I presume they are necessary because your existing HTTP and LDAP
certificates are essentially externally signed. So this is expected.
Well, maybe not a traceback.

I would like to delete CNRS2 certs, but ipa-ca-install does not work
and I remove them after ipa-ca-install ipactl restart does work

rob


Thank you

Frederic
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue