Cal Sawyer wrote:
Apologies for the lengthy pause in getting back onto this.  I ended up
destroying the replica and reprovisioning frmm scratch, but the replica
still lists as being CA-less.

Is what i'm seeing normal?  Would this 2-node setup in this state
survive failure of the master?

It will until the certificates start expiring. You want at least 2 CA's to avoid a single point of failure situation.


ON MASTER ipa.localdomain.local

#  ipa-replica-manage list

ipa2.localdomain.local: master
ipa.localdomain.local: master

# ipa-csreplica-manage list

 >> ipa2.localdomain.local: CA not configured
ipa.localdomain.local: master


ON REPLICA ipa2.localdomain.local

# ipa-ca-install
Directory Manager (existing master) password:

 >> CA is already installed.

ok ....

# ipa-ca-install -d

<snip loading/importing>

ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection
ipa.ipalib.plugins.config.config_show: DEBUG    raw:
ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False,
all=False, raw=False, version=u'2.156')
ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG    raw:
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG
ipa         : DEBUG      File
line 732, in run_script
     return_value = main_function()

   File "/usr/sbin/ipa-ca-install", line 204, in main
     install_master(safe_options, options)

   File "/usr/sbin/ipa-ca-install", line 191, in install_master
     ca.install_check(True, None, options)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/", line
49, in install_check
     sys.exit("CA is already installed.\n")

ipa         : DEBUG    The ipa-ca-install command failed, exception:
SystemExit: CA is already installed.

 >> CA is already installed.

It detects whether a CA is installed by the existence of something like /var/lib/pki-tomcat/ca. You can use pkidestroy to remove any remnants that might be left over from some previous failed install.

Or it could be that something wasn't updated properly in LDAP and there actually is a working CA. You might try manually starting the CA to see if it comes up, and/or run ipa-csreplica-manage to see if there are any working agreements.



- cal sawyer

On 09/03/16 16:13, Simo Sorce wrote:
On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:

Somehow i picked the wrong cookbook when i provisioned my first (and
only) replica and it lacks CA aso, as pointed out in a recent thread,
creates a single point of failure.  Not ready to set up more 2 replicas
yet and am still in testing.  Is it possible to replicate the master's
CA to the replica without destroying and reprovisioning with --setup-ca
this time?
Use ipa-ca-install on the replica.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to