And thanks for the new instructions. However, right out of the gate:
$ ipa-csreplica-manage set-renewal-master
Usage: ipa-csreplica-manage [options]
ipa-csreplica-manage: error: must provide a command [force-sync |
disconnect | list | del | connect | re-initialize]
Are there any RHEL6 specific instructions I can follow to the promised land?
On Wed, May 20, 2015 at 8:30 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Sina Owolabi wrote:
>> Hi Rob
>> This is the only CA master. The one I cloned it from was
>> decommissioned, reinstalled and then made to be a replica of this
>> Looks like I'm really stuck. How do I export the data out so I can
>> reinstall from scratch, if possible? There are a lot of rules and
>> configuration data I'd really like to keep.
> So in this case you have no master managing the renewal.
> Take a look at
> starting at the step "Reconfigure a CA as the new master"
> Since at least one certificate has expired you'll need to go back in time to
> get this working. Be sure to restart IPA after going back to ensure that the
> CA is up.
> You'll eventually want to do the CRL changes as well.
>> On Wed, May 20, 2015, 2:32 PM Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>> Sina Owolabi wrote:
>> > Another key difference I noticed is that the problematic certs have
>> > CA:IPA in them, while the working certs have CA:
>> > dogtag-ipa-retrieve-agent-submit.
>> Ok, the full output is really helpful.
>> First an explanation of CA subsystem renewal.
>> CA clones are just that, exact clones of each other, which means they
>> use the same subsystem certificates for OCSP, audit, etc. This also
>> means that at renewal time they need to be renewed on only one master
>> and then somehow shared with the ohter clones.
>> The initially-installed CA is designated as the renewal master by
>> default. It configures certmonger to renew the CA subsytem
>> and put the new public cert into a shared area in IPA that will be
>> replicated to the other masters.
>> The non-renewal masters are configured with a special CA,
>> dogtag-ipa-retrieve-agent-submit, that looks in this shared area for
>> updated certificate and when available, it installs it.
>> So the issue is that it isn't seeing this updated certificate, hence
>> The CA_UNREACHABLE are due to the fact that the IPA RA agent
>> that IPA uses to talk to the CA expired on 04/29.
>> So the steps you need to take are:
>> 1. Check your other CA masters and see if they have been renewed
>> properly (getcert list will tell you, look for expiration in 2017).
>> 2. If they have, see if the data was pushed to LDAP
>> $ kinit admin
>> $ ldapsearch -Y GSSAPI -b
>> See if there are certificate entries there. Check on multiple masters
>> see if there is a replication issue.
>> If the certs are there you can try restarting certmonger to kickstart
>> the request.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project