On Thu, Aug 29, 2013 at 11:10 AM, Rob Crittenden <rcrit...@redhat.com>wrote:

> Bret Wortman wrote:
>
>> A bit of googling has led me to understand that we must have created the
>> original server with --selfsign, and that locked us into something bad
>> which is now causing us problems. I'm not sure how this happened, since
>> we actually created our original instance on a different server, created
>> ipamaster as a replica of that one, then ran ipa-ca-install on ipamaster
>> to make it the new CA. How did it end up in this state?
>>
>> Anyway, is there ANY way around this? Can I simply ignore this, break
>> the replication agreement as Simo suggested, rebuild ipamaster,
>> replicate ipamaster2 to the new ipamaster, and then somehow make
>> ipamaster be a CA using Dogtag? Will that screw up all the clients?
>>
>
> I think we should pause and take a look at your installation.
>
> I'd check all your current masters, whether they are currently working or
> not. Look at the value of ra_plugin in /etc/ipa/default.conf. That controls
> what IPA thinks the CA is.
>
> on ipamaster: ra_plugin=dogtag

and either that same value or the ra_plugin doesn't exist on the replicas.
On ipamaster2, the one I just installed, there is no ra_plugin in the file.


> Then check to see if you have dogtag running on any of these systems. This
> will include a 2nd 389-ds instance, /etc/dirsrv/slapd-PKI-IPA and,
> depending on your distro, a PKI service like pki-tomcatd@pki-tomcat.**service.
> You can optionally see if /etc/pki/pki-tomcat exists.
>
> ipamaster definitely has a /etc/dirsrv/slapd-PKI-IPA directory, with files
updated fairly recently (within the past 30 minutes - lse.ldif and
lse.ldif.bak, others updated yesterday). I also have a pki-tomcatd@.service
file and a pki-tomcatd.target. no /etc/pki/pki-tomcat.

ipamaster2 only has /etc/dirsrv/slapd-FOO-NET. It does have
pki-tomcatd.target and pki-tomcatd@.service. No /etc/pki/pki-tomcat.


> There is currently no way post-install to add a dogtag instance.
>
> rob
>
>
>>
>> _
>> _
>> *Bret Wortman*
>>
>>
>> http://damascusgrp.com/
>> http://about.me/wortmanbret
>>
>>
>> On Thu, Aug 29, 2013 at 9:24 AM, Bret Wortman
>> <bret.wort...@damascusgrp.com 
>> <mailto:bret.wortman@**damascusgrp.com<bret.wort...@damascusgrp.com>>>
>> wrote:
>>
>>     Agreed, but not always possible. I had a replica crash hard and it
>>     wasn't possible to remove it.
>>
>>     In other news:
>>
>>     [ipamaster2]# ipa-ca-install replica-info-ipamaster2.spx.**net.gpg
>>     A selfsign CA can not be added
>>
>>     Is there a way around this? How can I ensure that I can transfer the
>>     CA back to ipamaster after it's been erased & reinstalled?
>>
>>
>>     _
>>     _
>>     *Bret Wortman*
>>
>>
>>     http://damascusgrp.com/
>>     http://about.me/wortmanbret
>>
>>
>>     On Thu, Aug 29, 2013 at 9:21 AM, Simo Sorce <s...@redhat.com
>>     <mailto:s...@redhat.com>> wrote:
>>
>>         On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote:
>>          > On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce <s...@redhat.com
>>         <mailto:s...@redhat.com>> wrote:
>>          >         On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
>>          >         > Okay, I have a replica built and running. My
>> original,
>>          >         "sick" server
>>          >         > is ipamaster and the new one is ipamaster2. All
>>         I've done
>>          >         thus far on
>>          >         > ipamaster2 is run ipa-replica-install --setup-dns
>>          >         --no-forwarders
>>          >         > replica-info-ipamaster2.foo.**net.gpg.
>>          >         >
>>          >         >
>>          >         > What additional steps do I need to take to ensure
>>         that the
>>          >         process of
>>          >         > shutting down ipamaster, wiping it out, building it
>>         up fresh
>>          >         and then
>>          >         > replicating ipamaster2 back to ipamaster and making
>>          >         ipamaster again
>>          >         > the center of the universe and my certificate
>>         authority work
>>          >         > correctly, cleanly, and with minimal fuss? Given
>>         the mess I
>>          >         got our
>>          >         > servers already, I figured I should ask before I
>> start
>>          >         messing about
>>          >         > today.
>>          >         >
>>          >         >
>>          >         > I think the process should look something like this
>>         (I don't
>>          >         want you
>>          >         > all thinking I'm looking for someone to do all my
>>         thinking
>>          >         for me):
>>          >         >
>>          >         >
>>          >         > 1. Take snapshot of ipamaster (just in case)
>>          >         > 2. [ipamaster2]#
>>          >         >
>>          >         ipa-ca-install
>>         /var/lib/ipa/replica-info-**ipamaster2.foo.net.gpg (I
>>          >         > should've done this during the ipa-ca-install, but
>>         since the
>>          >         ca step
>>          >         > is so rare, I didn't have it in my wiki notes).
>>          >         > 3. [ipamaster]# reboot
>>          >         >
>>          >         >
>>          >         > This reboot will trigger a Cobbler & Puppet-based
>>         wipe of
>>          >         the system
>>          >         > and reinstallation of F18 and freeipa-server. While
>>         that's
>>          >         going on:
>>          >         >
>>          >         >
>>          >         > 4. [ipamaster2]# ipa-replica-prepare
>>         ipamaster.foo.net <http://ipamaster.foo.net>
>>
>>          >         1.2.3.4
>>          >
>>          >
>>          >         You need to use ipa-replica-manage to remove the
>> original
>>          >         ipamaster
>>          >         before you can prepare to add a new one.
>>          >
>>          >         After it is fully removed and replica file generated
>>         you need
>>          >         to restart
>>          >         at yleast 389ds on ipamaster2 this is due to the fact
>>         that DS
>>          >         does nto
>>          >         purge valid tickets, and it holds a ticket valid for
>>         the old
>>          >         ipamaster,
>>          >         however when you reinstall the new the name will match
>> so
>>          >         replication
>>          >         between ipamaster2 -> ipamaster may fail because
>>         ipamsater2
>>          >         has a wrong
>>          >         ticket (using old key you just nuked before the
>>         reinstall).
>>          >         >
>>          >
>>          >
>>          >
>>          > Got it. Glad I asked! I'll add these steps to my procedure.
>>          >
>>          >         > When ipamaster is back up:
>>          >         >
>>          >         >
>>          >         > 5. [ipamaster]# cd /var/lib/ipa && scp
>>          >
>>          >
>>          >         You can copy in /root
>>          >
>>          >
>>          > I usually do it in /var/lib/ipa I guess because that's where
>> the
>>          > server puts the file, so it makes it easy for me to remember
>>         that's
>>          > where it is. But point taken.
>>          >
>>          >         >
>>          >
>>           ipamaster2:/var/lib/ipa/**replica-info-ipamaster.foo.**net.gpg
>> .
>>          >         > 6. [ipamaster]# ipa-replica-install --setup-dns
>>          >         --no-forwarders
>>          >         > --setup-ca replica-info-ipamaster.foo.**net.gpg
>>          >         >
>>          >         >
>>          >         > Usually, there's some reason I need to go back to
>>         ipamaster2
>>          >         and
>>          >         > either delete a dns entry or ipa host-del the system.
>>          >
>>          >
>>          >         Uh ? Sound like this is going to screw up things, why
>>         should
>>          >         you delete
>>          >         DNS entries ?
>>          >         ipa host-del of a master is *certainly* going to break
>>          >         replication and
>>          >         basically everything. Is this what you did in your
>>         old setup ?
>>          >
>>          >
>>          > Only if ipa-replica-install said I needed to.
>>
>>         ok this means you previously uninstalled a replica directly on the
>>         machine but tdid not remove it from the domain, this is bad
>>         practice.
>>         you should use ipa-replica-manage before you retire a machine if
>>         possible, otherwise you leave dangling replication agreements, DNS
>>         names, ID ranges (this means you loose ID space), and keys.
>>
>>          >         >  After the replica install is done:
>>          >         >
>>          >         >
>>          >         > 7. Shut down and delete the ipamaster2 VM.
>>          >
>>          >
>>          >         Do not forget to ipa-replica-manage remove it first.
>>          >
>>          >
>>          > Awesome. This is why I asked.
>>          >
>>          >         > 8. Upgrade existing "replicas" to F18 and latest IPA
>>          >         version.
>>          >         > 9. Establish replication agreements with
>>         now-functioning
>>          >         ipamaster.
>>          >         >
>>          >         >
>>          >         > Does that sound right?
>>          >         >
>>          >         >
>>          >
>>          >         See above.
>>          >
>>          >         Simo.
>>          >
>>          >
>>          >         --
>>          >         Simo Sorce * Red Hat, Inc * New York
>>          >
>>          >
>>          >
>>
>>
>>         --
>>         Simo Sorce * Red Hat, Inc * New York
>>
>>
>>
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to