Bret Wortman wrote:
What passpharase would this be encrypted with? If it's something I set a
year ago and never needed to know again, then we may be screwed. If it's
saved somewhere, where should I look?

It's the same passphrase you'd use to install a replica, the DM password.


*Bret Wortman*

On Thu, Aug 29, 2013 at 11:58 AM, Rob Crittenden <
<>> wrote:

    Bret Wortman wrote:

        On Thu, Aug 29, 2013 at 11:40 AM, Rob Crittenden
        < <>
        < <>>>__wrote:

             Bret Wortman wrote:

                 On Thu, Aug 29, 2013 at 11:10 AM, Rob Crittenden
                 < <>
        < <>>
        <> <
        <>>>> wrote:

                      Bret Wortman wrote:

                          A bit of googling has led me to understand
        that we must
                          created the
                          original server with --selfsign, and that
        locked us into
                          something bad
                          which is now causing us problems. I'm not sure
        how this
                          happened, since
                          we actually created our original instance on a
                 different server,
                          ipamaster as a replica of that one, then ran
                 ipa-ca-install on
                          to make it the new CA. How did it end up in
        this state?

                          Anyway, is there ANY way around this? Can I simply
                 ignore this,
                          the replication agreement as Simo suggested,
                          replicate ipamaster2 to the new ipamaster, and
                 somehow make
                          ipamaster be a CA using Dogtag? Will that
        screw up all
                 the clients?

                      I think we should pause and take a look at your

                      I'd check all your current masters, whether they
        are currently
                      working or not. Look at the value of ra_plugin in
                      /etc/ipa/default.conf. That controls what IPA
        thinks the CA is.

                 on ipamaster: ra_plugin=dogtag

                 and either that same value or the ra_plugin doesn't
        exist on the
                 replicas. On ipamaster2, the one I just installed,
        there is no
                 in the file.

                      Then check to see if you have dogtag running on
        any of these
                      systems. This will include a 2nd 389-ds instance,
                      /etc/dirsrv/slapd-PKI-IPA and, depending on your
        distro, a PKI
                      service like pki-tomcatd@pki-tomcat.______service.
        You can


                      see if /etc/pki/pki-tomcat exists.

                 ipamaster definitely has a /etc/dirsrv/slapd-PKI-IPA
        directory, with
                 files updated fairly recently (within the past 30 minutes -
                 lse.ldif and
                 lse.ldif.bak, others updated yesterday). I also have a
                 pki-tomcatd@.service file and a no

                 ipamaster2 only has /etc/dirsrv/slapd-FOO-NET. It does have
        and pki-tomcatd@.service. No

             Ok. When you created the replica file for ipamaster2, did
        you create
             it on ipamaster? Only a replica that is a CA can create a
             with a CA.

        Yes. So I'm not sure what went askew.

    Ok. I think we need to see what's in the prepared file. It is just a
    gpg-encrypted tarball. Can you do something like:

    gpg -d replica-info-pacer.greyoak.__com.gpg |tar xf -

    This will create a realm_info subdirectory. The file cacert.p12
    should be in there.


Freeipa-users mailing list

Reply via email to