On 05/10/2012 05:42 PM, Ade Lee wrote: > David, > > The simplest solution may be as Rob suggests - which is to create a new > CA as a subordinate of the old. > > The other solution would be doable but would require a few more manual > steps. That is, you could: > 1. install a new ca > 2. switch out the certs in that ca with the ones in your gpg file. The > certificate database is in /var/lib/pki-ca/alias > 3. There may be some manual changes required in /etc/pki-ca/CS.cfg, but > as the nicknames should be the same, you might be ok. > 4. If you go this route, you probably want to change the lower point of > the serial number ranges used for certs/ requests in CS.cfg to not reuse > serial numbers for certs you have already issued. > 4. Switch out the ipa agent cert/keys in the IPA cert database. > > You will run into problems later though because you have lost the data > in the dogtag database. > > In particular, because the renewal process uses the original requests > (which are stored in the dogtag database), you will likely be unable to > renew the certs you have already issued unless you rekey those certs. > > That may be OK for most certs, but you may not want to do that for the > CA signing cert. In that case, you will likely need to instrument > something to reconstruct the original request. >
https://fedorahosted.org/freeipa/ticket/2749 > Ade > On Thu, 2012-05-10 at 16:50 -0400, Rob Crittenden wrote: >> David Copperfield wrote: >>> Hi Petr and all, >>> >>> All the chapter your have pointed out is read many times, but that >>> doesn't help at all. >>> >>> My problem is: the Dogtag system ran on the IPA master ONLY before the >>> IPA Master crashes. Now I have to do the following: >>> >>> 1, install and run Dogtag system on IPA replica -- the document >>> mentioned it -- 'ipa-ca-install' and etc. >>> >>> 2, promote the IPA replica into new IPA Master -- document mentioned it >>> but not clear -- regarding the /root/cacert.p12 key file and the replica >>> file under /var/lib/ipa. >>> >>> 3, how to recover the dogtag systems' data (different LDAP backend) >>> existed on the IPA master before it crashes? >>> >>> Other close questions include: >>> >>> what are included in the replica definition file >>> /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the >>> signing key and how to open the .gpg file? >> # gpg -d /path/to/replica.gpg | tar xf - >> >> The password is the Directory Manager password. >> >> You have limited options since your CA was a single point of failure and >> it failed. The root CA private keys should be in the replica file so >> there may be ways to recover, all of them will require significant >> manual effort. >> >> We have no way to add a new CA to an existing IPA installation outside >> of ipa-ca-install so we'll need to give that some thought. I think the >> simplest way to fix this is to create a new CA as a subordinate of the >> original one. The existing certs should still be trusted (except for the >> agent cert) so mass rekeying won't be necessary. >> >> Another option is to install a new CA and try to replace key with the >> original. We'd need to think long-term about this effort and you'd want >> to renew all issued certificates so they will be revokable. >> >> rob >> >> >>> Thanks. >>> >>> --David >>> >>> ------------------------------------------------------------------------ >>> *From:* Petr Spacek <[email protected]> >>> *To:* [email protected] >>> *Sent:* Thursday, May 10, 2012 2:45 AM >>> *Subject:* Re: [Freeipa-users] How to rebuild IPA master? >>> >>> On 05/10/2012 02:24 AM, Steven Jones wrote: >>> > Hi, >>> > >>> > In case everyone else is asleep now...... >>> > >>> > Do you have access to RH documentation? the 6.3beta admin guide >>> section 18.8 >>> > talks about why and how to make a replicate a master. >>> >>> Just for completeness: >>> Documentation is publicly available: http://docs.redhat.com/ >>> >>> Documentation for IPA beta: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html >>> >>> Documentation for latest stable IPA: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html >>> >>> > >>> > eg., >>> > >>> > "NOTE >>> > All servers and replicas which host a CA are peers in the topology. >>> They can >>> > all issue certificates >>> > and keys to IPA clients, and they all replicate information amongst >>> themselves. >>> > The only reason to promote a replica or server to be a master server >>> is if the >>> > master server is >>> > being taken offline. There has to be a root CA which can issue CRLs and >>> > ultimately validate >>> > certificate checks. >>> > Aside from that, replicas, servers, and the master server are all >>> equal peers." >>> > >>> > regards >>> > >>> > Steven Jones >>> > >>> > Technical Specialist - Linux RHCE >>> > >>> > Victoria University, Wellington, NZ >>> > >>> > 0064 4 463 6272 >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > *From:* [email protected] >>> <mailto:[email protected]> >>> [[email protected] >>> <mailto:[email protected]>] on >>> > behalf of David Copperfield [[email protected] >>> <mailto:[email protected]>] >>> > *Sent:* Thursday, 10 May 2012 11:04 a.m. >>> > *To:* Rob Crittenden; [email protected] >>> <mailto:[email protected]> >>> > *Subject:* [Freeipa-users] How to rebuild IPA master? >>> > >>> > Hi all, >>> > >>> > I've a IPA master/replica setup in our development environment. >>> Unfortunately >>> > our IPA master crashed, the replica is working fine. Now I have the >>> IPA master >>> > re-imaged. >>> > >>> > What are the steps I have to follow to re-create the IPA master from >>> running >>> > IPA replica? Before crash the IPA master ran dogtag certificate >>> system, while >>> > the IPA replica didn't -- created normally without the --setup-ca option. >>> > >>> > Thanks. >>> > >>> > --David >>> > >>> > >>> > _______________________________________________ >>> > Freeipa-users mailing list >>> > [email protected] <mailto:[email protected]> >>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] <mailto:[email protected]> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
