Bret Wortman wrote:
On Thu, Aug 29, 2013 at 11:10 AM, Rob Crittenden <
<>> wrote:

    Bret Wortman wrote:

        A bit of googling has led me to understand that we must have
        created the
        original server with --selfsign, and that locked us into
        something bad
        which is now causing us problems. I'm not sure how this
        happened, since
        we actually created our original instance on a different server,
        ipamaster as a replica of that one, then ran ipa-ca-install on
        to make it the new CA. How did it end up in this state?

        Anyway, is there ANY way around this? Can I simply ignore this,
        the replication agreement as Simo suggested, rebuild ipamaster,
        replicate ipamaster2 to the new ipamaster, and then somehow make
        ipamaster be a CA using Dogtag? Will that screw up all the clients?

    I think we should pause and take a look at your installation.

    I'd check all your current masters, whether they are currently
    working or not. Look at the value of ra_plugin in
    /etc/ipa/default.conf. That controls what IPA thinks the CA is.

on ipamaster: ra_plugin=dogtag

and either that same value or the ra_plugin doesn't exist on the
replicas. On ipamaster2, the one I just installed, there is no ra_plugin
in the file.

    Then check to see if you have dogtag running on any of these
    systems. This will include a 2nd 389-ds instance,
    /etc/dirsrv/slapd-PKI-IPA and, depending on your distro, a PKI
    service like pki-tomcatd@pki-tomcat.__service. You can optionally
    see if /etc/pki/pki-tomcat exists.

ipamaster definitely has a /etc/dirsrv/slapd-PKI-IPA directory, with
files updated fairly recently (within the past 30 minutes - lse.ldif and
lse.ldif.bak, others updated yesterday). I also have a
pki-tomcatd@.service file and a no /etc/pki/pki-tomcat.

ipamaster2 only has /etc/dirsrv/slapd-FOO-NET. It does have and pki-tomcatd@.service. No /etc/pki/pki-tomcat.

Ok. When you created the replica file for ipamaster2, did you create it on ipamaster? Only a replica that is a CA can create a replica with a CA.

If you generated the replica file on another master, I *think* what you can safely do is this:

- prepare a replica on ipamaster for ipamaster2 and copy the file there
- on ipamaster2 run ipa-ca-install against the updated replica file


Freeipa-users mailing list

Reply via email to