We aren't sure what it is you've done here. Near as I can piece together you have two servers and both had expired certificates plus the issue where the rewrite configuration wasn't present causing ACME to not work.
So you fixed the rewrite configuration then ran ipa-cert-fix on one server and that fixed it? And then, what, you ran ipa-cert-fix again on the second server? And that removed the KRA service? Do you have the original /var/log/ipaserver-install.log (or replica-install.log or ipaserver-kra-install.log) on this host with the missing KRA? Can you confirm that the KRA was actually installed on it? Does /etc/pki/pki-tomcat/kra/ exist? rob Ian Kumlien wrote: > It used to work, and i have never used --disable-role-check in my life... > > On Wed, Apr 30, 2025 at 1:07 PM Florence Blanc-Renaud <f...@redhat.com> wrote: >> >> Hi, >> >> On Wed, Apr 30, 2025 at 10:31 AM Ian Kumlien <ian.kuml...@gmail.com> wrote: >>> >>> On Tue, Apr 29, 2025 at 7:15 PM Florence Blanc-Renaud <f...@redhat.com> >>> wrote: >>>> >>>> Hi, >>>> >>>> On Tue, Apr 29, 2025 at 4:39 PM Ian Kumlien via FreeIPA-users >>>> <freeipa-users@lists.fedorahosted.org> wrote: >>>>> >>>>> On Tue, Apr 29, 2025 at 4:30 PM Rob Crittenden <rcrit...@redhat.com> >>>>> wrote: >>>>>> >>>>>> Ian Kumlien wrote: >>>>>>> This and changing the permissions on certs pkiuser:pkiuser fixed it on >>>>>>> that machine, what remains is: >>>>>>> Error: Local roles CA, DNS, DNSKeySync do not match globally used >>>>>>> roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not >>>>>>> be complete enough to restore a fully functional, identical cluster. >>>>>>> The ipa-backup command failed. See /var/log/ipabackup.log for more >>>>>>> information >>>>>> >>>>>> What is unclear about the message? >>>>> >>>>> Alot - it broke by running ipa-cert-fix >>>>> >>>>>> An IPA backup is a disaster recovery tool. There is no need to use it to >>>>>> back up every single host in a cluster for the reason outlined. >>>>>> ipa-restore is used when things are completely hosed. It requires that >>>>>> any existing replicas need to be force re-initialized. >>>>> >>>>> It used to work, it worked until i ran ipa-cert-fix >>>>> >>>>> To me it sounds more like ipa-cert-fix did something that broke the >>>>> state of that node. >>>> >>>> ipa-cert-fix does one change related to roles: it sets the host where it >>>> is executed as CA renewal master. It does not remove CA/DNS/DNSkeySync/KRA >>>> instance. >>>> Can you show the output of ipa config-show on your 2 nodes? >>> >>> Node-1 - where ipa-backup doesn't work anymore: >>> ipa config-show >>> Maximum username length: 32 >>> Maximum hostname length: 64 >>> Home directory base: /home >>> Default shell: /bin/bash >>> Default users group: ipausers >>> Default e-mail domain: virt.demius.net >>> Search time limit: 2 >>> Search size limit: 100 >>> User search fields: uid,givenname,sn,telephonenumber,ou,title >>> Group search fields: cn,description >>> Enable migration mode: False >>> Certificate Subject base: O=VIRT.DEMIUS.NET >>> Password Expiration Notification (days): 4 >>> Password plugin features: AllowNThash >>> SELinux user map order: >>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >>> Default SELinux user: unconfined_u:s0-s0:c0.c1023 >>> Default PAC types: MS-PAC, nfs:NONE >>> IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net >>> IPA master capable of PKINIT: freeipa1.virt.demius.net, >>> freeipa2.virt.demius.net >>> IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >>> IPA CA renewal master: freeipa2.virt.demius.net >>> IPA KRA servers: freeipa2.virt.demius.net >>> IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >>> >>> Node 2 - works after the modifications and some workarounds: >>> ipa config-show >>> Maximum username length: 32 >>> Maximum hostname length: 64 >>> Home directory base: /home >>> Default shell: /bin/bash >>> Default users group: ipausers >>> Default e-mail domain: virt.demius.net >>> Search time limit: 2 >>> Search size limit: 100 >>> User search fields: uid,givenname,sn,telephonenumber,ou,title >>> Group search fields: cn,description >>> Enable migration mode: False >>> Certificate Subject base: O=VIRT.DEMIUS.NET >>> Password Expiration Notification (days): 4 >>> Password plugin features: AllowNThash >>> SELinux user map order: >>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >>> Default SELinux user: unconfined_u:s0-s0:c0.c1023 >>> Default PAC types: MS-PAC, nfs:NONE >>> IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net >>> IPA master capable of PKINIT: freeipa1.virt.demius.net, >>> freeipa2.virt.demius.net >>> IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >>> IPA CA renewal master: freeipa2.virt.demius.net >>> IPA KRA servers: freeipa2.virt.demius.net >>> IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >>> >> IMO it's the missing KRA role on freeipa1 that prevents the backup. Are you >> sure the command used to work? Or maybe you were using ipa-backup >> --disable-role-check on this specific node? >> >> flo > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
