I have migrated some FreeIPA servers from 3.0.0-51 to 4.4.0-14 by adding new 
replicas. There were a lot of issues, and I'm strugglig a bit with a 
configuration management system set up by a central IT department, which 
overrides files like sssd.conf, and I have to make exceptions to the policy. I 
hope someone could take the time to help me with this anyway.

I was able to join both new RHEL 7 machines, and remove one of the old RHEL 6 
machines, but then I couldn't remove the last one, and couldn't install the CA 
on any of the new masters. I (perhaps stupidly) removed the old server using 
ldapdelete, based on this thread: 
https://www.redhat.com/archives/freeipa-users/2012-June/msg00382.html. I 
thought that if I could get rid of the old stuff, I may be able to successfully 
promote one of the new servers to CA master. The command to install the CA 
almost completed successfully on the first master, but stopped on one of the 
last steps.

Now I get:
# ipa-ca-install
CA is already installed on this host.

It is clear that the CA is not installed. I get errors in 
/var/log/httpd/error_log for hosts requesting certs, and getting NotFound.
ipa: INFO: [xmlserver] host/xxxxx@DOMAIN: cert_request(u'MIIDnzCCaoc.......

I then removed and uninstalled the other master, which did not have a CA, 
thinking it could get going with a reinstall. However, the installation fails

ipa     : ERROR      Cannot issue certificates: a CA is not installed. Use the 
--http-cert-file, --dirsrv-cert-file options to provide custom certificates.

(there may be some typos in the error messages, since I'm copying from an 
air-gapped network)

Is there any way I can manually resurrect the CA? I have the files left over on 
the original (version 3) master, but did do an uninstall. If that's not 
possible, is there any way to migrate the users to a new domain with exactly 
the same name (this would be less convenient, if it's actually possible, since 
I have to re-enroll all the clients).

Marius Bjørnstad

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to