Hi all,

I’ve been struggling the last few days with rebuilding part of my FreeIPA 
infrastructure, which has lead me to some questions about how some of the IPA 
infrastructure works.  To give a bit of background, I have two IPA servers (my 
initially installed IPA server, and a replica) both of which have DNS, NTP, and 
CA roles.  I’m running CentOS 7.3, FreeIPA 4.4 currently (upgraded from 
original CentOS 7 installations which I believe was FreeIPA 4.1? initiall).  I 
have several remote sites that each have two IPA server replicas that have 
replication topology segments for domain and ca suffixes back to the two 
on-prem IPA servers.  This has been working quite well for over a year now, 
through the upgrades, etc.  Occasionally I get an issue with getting some 
conflicting records in LDAP, which I’ve cleared up by following some of the 
documentation out there.  It seems when this happens however, I end up getting 
into a situation where replication stops working, and I end up needing to 
“refresh” the installations. I have done this once so far, and am in the 
process again currently, by deleting each remote IPA server (ipa server-del), 
then re-installing each server to get a clean copy of the databases for 
everything.  Last time I had no issues doing this.  This time around, I’m 
running into some issues with the CA setup.  I seem to be able to run 
ipa-replica-install just fine without the --setup-ca option.  I may be running 
into some issues identified in an earlier post this week, so I’ll ask about 
this issue separately if I continue to have problems.  In working through these 
issues, I realized I don’t really know enough about how the interaction between 
the IPA clients and IPA server is working, with regard to the PKI 
infrastructure.  I have some questions on what server roles I need at each site 
and how the PKI infrastructure works within the IPA environment, and how the 
clients communicate to it:

1)       How do the IPA clients discover servers with the CA role and use them?

2)       Is all this interaction done through APIs on the IPA server – in other 
words, are these requests fielded by the IPA server and proxied somehow to 
known servers with the CA role?

3)       Do the clients need “direct” access to a server with the CA role to 
request and obtain certificates and renewals? (i.e. do I need each IPA server 
to have the CA role)?

4)       Is it sufficient to just have one server with CA role at each site?  
Or even just one at the main on-prem site?

Kendal Montgomery
DevOps Engineer / Lab Manager
Empowering collective insights
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to