Thanks for that Martin.

The man page for ipa-ca-install suggests i could pass in my replica file to
create a "CA-less" configuration. Is this what i want or is a CA-full
appropriate? All I want to achieve is the additional resilience provided by
a replica which can both authorise and sign certificates in the event of a
loss of the master server. I certainly don't want an entirely separate CA
to be installed - my anticipation is that my replica will be able to become
an intermediate authority - is that the intended arrangement for a replica?

Finally, do you hold out much hope that ipa-ca-install will work any better
than --setup-ca flag I was attempting to get working for the replica
install? If its the same code I would probably just end up with a half
configured CA and have to rebuild my replica - something I would like to
avoid repeating after the last couple of days!

On Thu, May 18, 2017 at 1:28 PM Martin Bašti <mba...@redhat.com> wrote:

> ipa-ca-install will install on top of FreeIPA CA-less replica, nothing
> else, you really don't want to do it manually.
>
> On 18.05.2017 14:12, Callum Guy wrote:
>
> Thanks Martin, really appreciate the additional information.
>
> Are you aware of a separate guide for installing DogTag/PKI on top of
> FreeIPA - basically I am happy to install separately if it doesn't
> compromise the FreeIPA server configuration, i'm not clear on whether this
> is possible without a major time investment.
>
> On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mba...@redhat.com> wrote:
>
>>
>> Please note that commits in #6766 will not fix this issue, the issue is
>> on dogtag side, please see https://pagure.io/dogtagpki/issue/2646
>> Sorry for troubles
>>
>>
>> On 18.05.2017 12:19, Callum Guy wrote:
>>
>> Haha, looks like i'm going CA-less for a while on the replica. I don't
>> see any immediate requirement for one so time to get on with my life!
>>
>> I'll post back if anything changes but I'm probably stuck waiting for the
>> upgrade too..
>>
>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman <data...@gmail.com>
>> wrote:
>>
>>> Sorry cobber. We only found 6766 today - we've been tackling it on and
>>> off for a couple of weeks :)
>>>
>>> ------
>>> "Mission Statement: To provide hope and inspiration for collective
>>> action, to build collective power, to achieve collective transformation,
>>> rooted in grief and rage but pointed towards vision and dreams."
>>>
>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>
>>> On 18 May 2017 at 19:53, Callum Guy <callum....@x-on.co.uk> wrote:
>>>
>>>> Ah, thanks for that Lachlan - its always reassuring to hear that its
>>>> not just me!
>>>>
>>>> As mentioned above I have it running without the CA so that's a good
>>>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for
>>>> CentOS. I'm not expecting that to happen quickly so will have to work with
>>>> what we have for now.
>>>>
>>>> Do you happen to know if there is any way to build the CA component
>>>> separately?
>>>>
>>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com>
>>>> wrote:
>>>>
>>>>> https://pagure.io/freeipa/issue/6766
>>>>>
>>>>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>>>>
>>>>> ------
>>>>> "Mission Statement: To provide hope and inspiration for collective
>>>>> action, to build collective power, to achieve collective transformation,
>>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>>
>>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>>
>>>>> On 18 May 2017 at 19:34, Lachlan Musicman <data...@gmail.com> wrote:
>>>>>
>>>>>> We are seeing this. I'm not at work, but I think it's bug report
>>>>>> 6766.
>>>>>>
>>>>>> Patch has already been committed (bot by us), we're waiting for IPA
>>>>>> 4.5.
>>>>>>
>>>>>> cheers
>>>>>> L.
>>>>>>
>>>>>> ------
>>>>>> "Mission Statement: To provide hope and inspiration for collective
>>>>>> action, to build collective power, to achieve collective transformation,
>>>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>>>
>>>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>>>
>>>>>> On 18 May 2017 at 18:57, Callum Guy <callum....@x-on.co.uk> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I am currently stuck trying to setup the first replica of our master
>>>>>>> IPA server. I have tried a number of different approaches including
>>>>>>> escalating from a client and nothing is working for me. I perform a 
>>>>>>> full OS
>>>>>>> reset each time I get stuck.
>>>>>>>
>>>>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this
>>>>>>> version however having performed ipa-server-upgrade - does this mean 
>>>>>>> i'm on
>>>>>>> 4.4.4?).
>>>>>>>
>>>>>>> The command is shown below - note that i am skipping the conn check
>>>>>>> as my platforms security settings do not allow the SSH session to be
>>>>>>> established back on the master, all ports should be available to the
>>>>>>> application however.
>>>>>>>
>>>>>>> [root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101
>>>>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>>>>>>>
>>>>>>> Directory Manager (existing master) password:
>>>>>>>
>>>>>>> ipa         : ERROR    Could not resolve hostname ipa2.SITE.net
>>>>>>> usis check queries IPA DNS directly and ignores /etc/hosts.)
>>>>>>> Continue? [no]: yes
>>>>>>> Configuring NTP daemon (ntpd)
>>>>>>>   [1/4]: stopping ntpd
>>>>>>>   [2/4]: writing configuration
>>>>>>>   [3/4]: configuring ntpd to start on boot
>>>>>>>   [4/4]: starting ntpd
>>>>>>> Done configuring NTP daemon (ntpd).
>>>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>>>>>   [1/42]: creating directory server user
>>>>>>>   [2/42]: creating directory server instance
>>>>>>>   [3/42]: updating configuration in dse.ldif
>>>>>>>   [4/42]: restarting directory server
>>>>>>>   [5/42]: adding default schema
>>>>>>>   [6/42]: enabling memberof plugin
>>>>>>>   [7/42]: enabling winsync plugin
>>>>>>>   [8/42]: configuring replication version plugin
>>>>>>>   [9/42]: enabling IPA enrollment plugin
>>>>>>>   [10/42]: enabling ldapi
>>>>>>>   [11/42]: configuring uniqueness plugin
>>>>>>>   [12/42]: configuring uuid plugin
>>>>>>>   [13/42]: configuring modrdn plugin
>>>>>>>   [14/42]: configuring DNS plugin
>>>>>>>   [15/42]: enabling entryUSN plugin
>>>>>>>   [16/42]: configuring lockout plugin
>>>>>>>   [17/42]: configuring topology plugin
>>>>>>>   [18/42]: creating indices
>>>>>>>   [19/42]: enabling referential integrity plugin
>>>>>>>   [20/42]: configuring ssl for ds instance
>>>>>>>   [21/42]: configuring certmap.conf
>>>>>>>   [22/42]: configure autobind for root
>>>>>>>   [23/42]: configure new location for managed entries
>>>>>>>   [24/42]: configure dirsrv ccache
>>>>>>>   [25/42]: enabling SASL mapping fallback
>>>>>>>   [26/42]: restarting directory server
>>>>>>>   [27/42]: setting up initial replication
>>>>>>> Starting replication, please wait until this has completed.
>>>>>>> Update in progress, 4 seconds elapsed
>>>>>>> Update succeeded
>>>>>>>
>>>>>>>   [28/42]: adding sasl mappings to the directory
>>>>>>>   [29/42]: updating schema
>>>>>>>   [30/42]: setting Auto Member configuration
>>>>>>>   [31/42]: enabling S4U2Proxy delegation
>>>>>>>   [32/42]: importing CA certificates from LDAP
>>>>>>>   [33/42]: initializing group membership
>>>>>>>   [34/42]: adding master entry
>>>>>>>   [35/42]: initializing domain level
>>>>>>>   [36/42]: configuring Posix uid/gid generation
>>>>>>>   [37/42]: adding replication acis
>>>>>>>   [38/42]: enabling compatibility plugin
>>>>>>>   [39/42]: activating sidgen plugin
>>>>>>>   [40/42]: activating extdom plugin
>>>>>>>   [41/42]: tuning directory server
>>>>>>>   [42/42]: configuring directory to start on boot
>>>>>>> Done configuring directory server (dirsrv).
>>>>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3
>>>>>>> minutes 30 seconds
>>>>>>>   [1/27]: creating certificate server user
>>>>>>>   [2/27]: configuring certificate server instance
>>>>>>>   [3/27]: stopping certificate server instance to update CS.cfg
>>>>>>>   [4/27]: backing up CS.cfg
>>>>>>>   [5/27]: disabling nonces
>>>>>>>   [6/27]: set up CRL publishing
>>>>>>>   [7/27]: enable PKIX certificate path discovery and validation
>>>>>>>   [8/27]: starting certificate server instance
>>>>>>>
>>>>>>> And here is stays and refuses to move on. The ipareplica-install.log
>>>>>>> log reports:
>>>>>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080,
>>>>>>> 8443] timeout 300
>>>>>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running
>>>>>>> 2017-05-18T08:40:09Z DEBUG request POST
>>>>>>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
>>>>>>> 2017-05-18T08:40:09Z DEBUG request body ''
>>>>>>>
>>>>>>> I have tried and that port is indeed inaccessible but I can't
>>>>>>> establish a way to progress this issue from any of the the other log 
>>>>>>> files.
>>>>>>> Also I have seen in the 4.4.4 release notes that IPv6 being disabled on 
>>>>>>> the
>>>>>>> master can cause issues, re-enabling (at least in /etc/hosts) did not 
>>>>>>> seem
>>>>>>> to help.
>>>>>>>
>>>>>>> If anyone is able to offer ideas that would be very much
>>>>>>> appreciated. I am tempted to remove the --setup-ca option to see if this
>>>>>>> helps.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Callum
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>>>>>>> <https://www.linkedin.com/company/x-on>   
>>>>>>> <https://www.facebook.com/XonTel>
>>>>>>>   <https://twitter.com/xonuk> *
>>>>>>> X-on is a trading name of Storacall Technology Ltd a limited company
>>>>>>> registered in England and Wales.
>>>>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>>>>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>>>>>>> The information in this e-mail is confidential and for use by the
>>>>>>> addressee(s) only. If you are not the intended recipient, please notify
>>>>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>>>>>>> delete the
>>>>>>> message from your computer. If you are not a named addressee you
>>>>>>> must not use, disclose, disseminate, distribute, copy, print or reply to
>>>>>>> this email. Views or opinions expressed by an individual
>>>>>>> within this email may not necessarily reflect the views of X-on or
>>>>>>> its associated companies. Although X-on routinely screens for viruses,
>>>>>>> addressees should scan this email and any attachments
>>>>>>> for viruses. X-on makes no representation or warranty as to the
>>>>>>> absence of viruses in this email or any attachments.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>>>> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>>>>   <https://twitter.com/xonuk> *
>>>> X-on is a trading name of Storacall Technology Ltd a limited company
>>>> registered in England and Wales.
>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>>>> The information in this e-mail is confidential and for use by the
>>>> addressee(s) only. If you are not the intended recipient, please notify
>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>>>> delete the
>>>> message from your computer. If you are not a named addressee you must
>>>> not use, disclose, disseminate, distribute, copy, print or reply to this
>>>> email. Views or opinions expressed by an individual
>>>> within this email may not necessarily reflect the views of X-on or its
>>>> associated companies. Although X-on routinely screens for viruses,
>>>> addressees should scan this email and any attachments
>>>> for viruses. X-on makes no representation or warranty as to the absence
>>>> of viruses in this email or any attachments.
>>>>
>>>>
>>>
>>
>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>>   <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall Technology Ltd a limited company
>> registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please notify
>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>> delete the
>> message from your computer. If you are not a named addressee you must not
>> use, disclose, disseminate, distribute, copy, print or reply to this email. 
>> Views
>> or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on or its
>> associated companies. Although X-on routinely screens for viruses,
>> addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the absence
>> of viruses in this email or any attachments.
>>
>>
>>
>>
>> --
>> Martin Bašti
>> Software Engineer
>> Red Hat Czech
>>
>>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. 
> Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to