Re: [Freeipa-users] Replica without CA: implications?

Thu, 02 Jun 2016 07:24:23 -0700

Apologies for the lengthy pause in getting back onto this. I ended up destroying the replica and reprovisioning frmm scratch, but the replica still lists as being CA-less.
Is what i'm seeing normal? Would this 2-node setup in this state survive failure of the master? 


-----------------

ON MASTER ipa.localdomain.local

#  ipa-replica-manage list

ipa2.localdomain.local: master
ipa.localdomain.local: master

# ipa-csreplica-manage list

>> ipa2.localdomain.local: CA not configured
ipa.localdomain.local: master


------------------

ON REPLICA ipa2.localdomain.local

# ipa-ca-install
Directory Manager (existing master) password:

>> CA is already installed.

ok ....

# ipa-ca-install -d

<snip loading/importing>


ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection 
context.ldap2_73731152
ipa.ipalib.plugins.config.config_show: DEBUG    raw: 
config_show(version=u'2.156')
ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, 
all=False, raw=False, version=u'2.156')
ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for 
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG    raw: 
ca_is_enabled(version=u'2.156')

ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156')

ipa         : DEBUG      File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 732, in run_script

    return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 204, in main
    install_master(safe_options, options)

  File "/usr/sbin/ipa-ca-install", line 191, in install_master
    ca.install_check(True, None, options)


  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 
49, in install_check

    sys.exit("CA is already installed.\n")


ipa         : DEBUG    The ipa-ca-install command failed, exception: 
SystemExit: CA is already installed.


>> CA is already installed.




thanks

- cal sawyer



On 09/03/16 16:13, Simo Sorce wrote:

On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:

Hi

Somehow i picked the wrong cookbook when i provisioned my first (and
only) replica and it lacks CA aso, as pointed out in a recent thread,
creates a single point of failure.  Not ready to set up more 2 replicas
yet and am still in testing.  Is it possible to replicate the master's
CA to the replica without destroying and reprovisioning with --setup-ca
this time?

Use ipa-ca-install on the replica.

Simo.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to