On 01/13/2015 10:38 AM, Brian Topping wrote:
> On Jan 13, 2015, at 1:56 PM, Brian Topping <brian.topp...@gmail.com> wrote:
>> Hi folks, really pleased with the latest versions of FreeIPA. Very robust, 
>> quite impressive!

Good to hear! :-)

>> In the process of setting it up, I ended up having to move servers a couple 
>> of times. The original server is gone, just replicas that installed cleanly 
>> with each other. 

Hmm, I hoped that after FreeIPA 3.2
(https://fedorahosted.org/freeipa/ticket/2879), FreeIPA should before warn
removing the last DNS/CA from the realm. If may indeed be a bug.

The point is that it is hard to recover when there is no master with PKI
configured and backup to use as some information are only on the PKI masters,
like the CA private key or other subsystem cert private keys.

> Ok, I think I have this sorted -- somewhat.
> After pawing through the Tomcat configuration for Dogtag, I traced back to 
> the pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> 
> not running. Once that started, the relevant information was available to the 
> UI. There are a sufficient number of certificates that I think everything is 
> in order. Whew.

Sounds promising.

> What I realize now is the certificate CRL points to the server that no longer 
> exists and I'd like to get that cleaned up. I found 
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master 
> <http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>, is 
> that relevant for my situation?

Yes, this is the procedure to follow for servers older than FreeIPA 4.1. Jan is
that correct? If yes, the page deserves a warning/update.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to