Cal Sawyer wrote:
Apologies for the lengthy pause in getting back onto this. I ended up
destroying the replica and reprovisioning frmm scratch, but the replica
still lists as being CA-less.
Is what i'm seeing normal? Would this 2-node setup in this state
survive failure of the master?
It will until the certificates start expiring. You want at least 2 CA's
to avoid a single point of failure situation.
-----------------
ON MASTER ipa.localdomain.local
# ipa-replica-manage list
ipa2.localdomain.local: master
ipa.localdomain.local: master
# ipa-csreplica-manage list
>> ipa2.localdomain.local: CA not configured
ipa.localdomain.local: master
------------------
ON REPLICA ipa2.localdomain.local
# ipa-ca-install
Directory Manager (existing master) password:
>> CA is already installed.
ok ....
# ipa-ca-install -d
<snip loading/importing>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
context.ldap2_73731152
ipa.ipalib.plugins.config.config_show: DEBUG raw:
config_show(version=u'2.156')
ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False,
all=False, raw=False, version=u'2.156')
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw:
ca_is_enabled(version=u'2.156')
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG
ca_is_enabled(version=u'2.156')
ipa : DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 732, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 204, in main
install_master(safe_options, options)
File "/usr/sbin/ipa-ca-install", line 191, in install_master
ca.install_check(True, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
49, in install_check
sys.exit("CA is already installed.\n")
ipa : DEBUG The ipa-ca-install command failed, exception:
SystemExit: CA is already installed.
>> CA is already installed.
It detects whether a CA is installed by the existence of something like
/var/lib/pki-tomcat/ca. You can use pkidestroy to remove any remnants
that might be left over from some previous failed install.
Or it could be that something wasn't updated properly in LDAP and there
actually is a working CA. You might try manually starting the CA to see
if it comes up, and/or run ipa-csreplica-manage to see if there are any
working agreements.
rob
thanks
- cal sawyer
On 09/03/16 16:13, Simo Sorce wrote:
On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:
Hi
Somehow i picked the wrong cookbook when i provisioned my first (and
only) replica and it lacks CA aso, as pointed out in a recent thread,
creates a single point of failure. Not ready to set up more 2 replicas
yet and am still in testing. Is it possible to replicate the master's
CA to the replica without destroying and reprovisioning with --setup-ca
this time?
Use ipa-ca-install on the replica.
Simo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
