Hi Deon, Dmitri, and all,
> >> Hi follks,
> >> I'm completely lost at reading the IPA document on how to promote a IPA
> >>replica into master IPA. When I'm try to follow the steps listed in the
> >>chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at
> >>the link
> >> the last steps 'g' said:
> >> g. Disable the redirect settings for CRL generation requests:
> >> master.ca.agent.host=hostname
> >> master.ca.agent.port=port number
> >> The above instructions don't give any hints of 'hostname', or 'port
> >> number'. users don't have any clues about them, should them be this
> >> replica's name, or the original master's name? and what is the por
> >> t number? it is a TCP port, or a UDP port?
> >The replica is configured to check for information from the master CA -- in
> >this case, asking the master CA to generate a CRL. Those parameters tell the
> >replica where to look. Part of promoting the replica is telling it *not* to
> >look for a master CA. So, those parameters should be blanked or removed.
> >I can definitely make that more clear.
> Have you used a --selfsign option when you installed the first server?
> If you did, you installed the server without CA. This is an advanced option
> for those who know why they do not want the CA at all.
> The standard, default way is to not provide --selfsign flag.
> This will install CA on the first replica. On the other replicas you can have
> a CA at your discretion. Or add it later if you did not install it at the
It's my pleasure to clarify here: no '--selfsign' option was used to create IPA
master, or the first replica, or other replica siblings. But the Dogtag
installation results are:
IPA master has the dogtag systems installed, and the
'/var/lib/pki-ca/conf/CS.conf' file created. Inside there was not
IPA replica (first replica and its siblings): NO dogtag certificate system was
automatically installed. Even no /var/lib/pki-ca/ directory.
By the way, on the document page, the commands 'service pki-ca stop' and
'service pki-ca start' was wrong too -- as there was only 'pki-cad' service,
not 'pki-ca'. :)
So, please have the migration page updated and submit it here so that users can
follow the updated version and give you more feedback immediately. it looks
like a win-win solution.
Freeipa-users mailing list