Rolf Brusletto wrote:
Yeah, that probably wasn't very clear...

Original - IPA instance w/ DNS, and no Dogtag
Replica - IPA instance w/ DNS, and no Dogtag

The devil is always in the details. For user data yes, there is no difference between the initially installed master and any others. It is the CA where things get problematic.

In your case, where you used --selfsign when installing, your CA is only on the initial master. You might want to take a look at section 18.8.2 here:

If you try to run ipa-replica-prepare on your second master it will refuse to do so because it lacks a CA. You need to fetch it from the current master, or restore the PKCS#12 file you were warned to back up after the initial installation. In your case you a lso need to create a serial number file (if you don't have this you can always pick a new starting value).


On 8/8/12 3:34 PM, Rob Crittenden wrote:
Rolf Brusletto wrote:
We had a rather severe issue last night on our primary IPA server(ver
2.2.0), but the replica is still happily plugging along, which very
nice. My question is, there is very, very little I can do with the
'master'. From what I've read, there ins't any replicaton, and I just
want to verify that a replica is just another master, assuming you're
not using the CA option. If so, when I rebuild the primary server, do I
just configure it to be a replica to what was the secondary?

Just to be clear, you installed the original server with a dogtag CA
installed? And then you created a replica but didn't configure a CA on


Freeipa-users mailing list

Reply via email to