So far Im working through this, so I made ipam002 the new self cert holder and
deleted the old "master" ipam001. Built a new ipam001 from scratch and joined
it, all OK. There was however an ipam003, the replication agreements at least
for that had to be redone. Without knowing the topology of course you wouldnt
have realised that.
Ive applied the bind.ldap fix and 389 hotfix for the winsync problem....
Now to test.
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 8 November 2012 8:47 a.m.
To: Steven Jones
Subject: Re: [Freeipa-users] Rebuilding the failing original IPA master
Steven Jones wrote:
> The master was 6.2 upgraded to 6.3 its got a "bad schema" so the advice I
> have is to rebuild it.
> I have 2 replicas they also were upgraded but "blew up" so were rebuilt as
> fresh 6.3, both these are fine, replicating and working perfectly.
> I dont use CA, its just self signed on them..
OK, details are important here. Terms like "blew up" and "bad schema"
leave me guessing exactly what you mean.
So if I understand it correctly you have a 2.1.3 -> 2.2.0 master that is
limping along and two freshly installed 2.2.0 masters and you'd like to
uninstall and re-install the server whose upgrade didn't go well.
With a selfsign CA there is only one that is the CA, so if that is the
server you want to re-create you'll need to promote one of the working
2.2.0 servers to be the CA.
I think the basics steps would be:
- promote one of the 2.2.0 masters to be the new CA
- verify that the new CA can issue certs
- remove the server that failed upgrading (ipa-replica-manage del
- Follow the CLEANRUV docs at
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (starts about
midway down the page)
- ipa-server-install --uninstall on the decomissioned server
- prepare a new replica file
Note that selfsign is not supported in RHEL. You'll need to refer to the
Fedora docs on how to do that, see section 16.8.2 at
Unfortunately the docs are wrong. You want to use the NSS database in
/etc/httpd/alias and not the DS instance. The cacert.p12 comes from the
file you saved after the initial install. You saved that, right?
If not, you can run this on the old master to re-create it:
# pk12util -o /tmp/cacert.p12 -d /etc/httpd/alias -n '$REALM IPA CA' -k
These are some instructions one of our engineers wrote up when he needed
to do this himself. You can probably skip step 1 as you already have a
couple of working replicas.
Tread carefully. If you lose your CA you won't have the ability to
create new replicas, issue server certs, do much of anything.
1) Install replica
2) Copy CA serial number setting from master to replica:
# scp /var/lib/ipa/ca_serialno new_ca.example.com:/var/lib/ipa/
3) On replica, set correct owner and permissions:
# chown root:apache /var/lib/ipa/ca_serialno
# chmod 550 /var/lib/ipa/ca_serialno
4) Restore SELinux context on serial file:
# restorecon /var/lib/ipa/ca_serialno
5) Copy CA certificate and pwdfile.txt from master to replica:
# scp /etc/httpd/alias/cacert.p12 /etc/httpd/alias/pwdfile.txt
7) On replica, import the CA certificate:
# pk12util -i ~/cacert.p12 -w ~/pwdfile.txt -d /etc/httpd/alias/ -k
8) The list of certificates in NSS database (including the one imported)
# certutil -L -d /etc/httpd/alias/
However, since pk12util import util is not capable of setting a correct
certificate nickname, the imported certificate will have a nickname like
""CN=$REALM Certificate Authority", which is not recognized by IPA
The following procedure can be used set a correct nickname of the
a) Export the certificate
# certutil -d /etc/httpd/alias/ -L -n 'CN=$REALM Certificate Authority' -a >
b) Delete the old certificate (NSS database /etc/httpd/alias/ should be
up before this step):
# certutil -d /etc/httpd/alias/ -D -n 'CN=$REALM Certificate Authority'
c) Import the certificate with correct nickname:
# certutil -A -n "$REALM IPA CA" -d /etc/httpd/alias/ -f
/etc/httpd/alias/pwdfile.txt -i /root/cacert.crt -a -t CTu,u,Cu
9) Enable certificate operations on IPA replica:
# echo "enable_ra=True" >> /etc/ipa/default.conf
10) Reload web server to pick up new configuration:
# service httpd reload
Freeipa-users mailing list