Apologies for the lengthy pause in getting back onto this. I ended up destroying the replica and reprovisioning frmm scratch, but the replica still lists as being CA-less.

Is what i'm seeing normal? Would this 2-node setup in this state survive failure of the master?


ON MASTER ipa.localdomain.local

#  ipa-replica-manage list

ipa2.localdomain.local: master
ipa.localdomain.local: master

# ipa-csreplica-manage list

>> ipa2.localdomain.local: CA not configured
ipa.localdomain.local: master


ON REPLICA ipa2.localdomain.local

# ipa-ca-install
Directory Manager (existing master) password:

>> CA is already installed.

ok ....

# ipa-ca-install -d

<snip loading/importing>

ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_73731152 ipa.ipalib.plugins.config.config_show: DEBUG raw: config_show(version=u'2.156') ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, all=False, raw=False, version=u'2.156') ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw: ca_is_enabled(version=u'2.156')
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156')
ipa : DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 204, in main
    install_master(safe_options, options)

  File "/usr/sbin/ipa-ca-install", line 191, in install_master
    ca.install_check(True, None, options)

File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 49, in install_check
    sys.exit("CA is already installed.\n")

ipa : DEBUG The ipa-ca-install command failed, exception: SystemExit: CA is already installed.

>> CA is already installed.


- cal sawyer

On 09/03/16 16:13, Simo Sorce wrote:
On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:

Somehow i picked the wrong cookbook when i provisioned my first (and
only) replica and it lacks CA aso, as pointed out in a recent thread,
creates a single point of failure.  Not ready to set up more 2 replicas
yet and am still in testing.  Is it possible to replicate the master's
CA to the replica without destroying and reprovisioning with --setup-ca
this time?
Use ipa-ca-install on the replica.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to