On Wed, May 04, 2016 at 08:45:19PM +0800, barry...@gmail.com wrote: > Hi all: > > I got master 1have ca and server 2 replicatiomng . Now master 1 > fail all lost. > > Can i skip.it just make server 3 repliacted slaved or must > recovered master 1. > I take it `Server 2' was installed without the CA? If this is the case, and if you cannot recover the first master with the CA instance, then as long as you still have the replica info file with which the replica(s) were created, then you have the bits to recover the CA - but it will be quite an involved process.
I have never performed this recovery so there is no documentation, but off the top of my head the steps would be (at a high level; no detail yet): 1. Make some manual changes to make FreeIPA think it is CA-less 2. Extract CA signing key from the replica info file 3. Run ipa-ca-install to install the CA on one of the IPA servers, with external CA. This will generate a new private key and CSR to send to external CA. 4. Replace the new private key generated for the CSR, with the private key from the replica info file. 5. Continue the ipa-ca-install with the CA signing certificate from the replica info file. 6. Manually adjust serial number ranges to ensure the new CA instance does not issue certs with serial numbers that collide with certs issued by the original CA instance. (This might have to be hacked into the ipa-ca-install process). 7? Depending on whether your CA is self-signed, might need to tell certmonger to track the CA signing certificate. 8! Install a CA replica on another IPA server, so you don't have to do it all again if you lose the CA host in future :) If you want to embark on this adventure, and get stuck (I know my instructures were not detailed...), let me know. I will try and find spare minutes to learn the details and document the process. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project