tipex tipex via FreeIPA-users wrote: > I've recently had a lot of trouble with CA on my FreeIPA 2 node cluster. Some > amazing people on this forum have helped me fix the issues but its got me > thinking that I dont use CA as I have external certificates (LetsEncrypt) so > could I get rid of it. Less stuff = less failures. I'm wondering if I could > create two new machines (C and D) without CA installed and add them to the > cluster. Then remove the two existing machines (A and B) which have CA > installed. This way I remove CA but keep all my users and settings that are > currently in FreeIPA. Does this sound feasible or am I asking for problems? > Thanks >
There is not a trivial way to go from a CA to a CA-less installation. IPA will complain mightily if you try to do what you are proposing as it expects the internal CA is providing the required certificates. A way you might consider instead is to try ipa-migrate. You'd create a new IPA installation with the same realm, domain, etc. but with no CA. To do this you'll need to provide the Apache, DS and PKINIT certificates. Then you can try migrating your existing IPA entries to it. It should pull in all records and give you effectively an identical server without the original CA. It's a risk-free thing to try as long as you're careful. All clients will need to be re-enrolled into the new migrated IPA domain. You'll also have to manage renewal of your certificates yourself. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
