It will create clone of the original CA, it will work as backup not a separate CA.

I'm afraid it will result into the same behavior because it uses almost the same code, but as I said before this issue is on dogtag side and not always reproducible.



On 18.05.2017 14:44, Callum Guy wrote:
Thanks for that Martin.

The man page for ipa-ca-install suggests i could pass in my replica file to create a "CA-less" configuration. Is this what i want or is a CA-full appropriate? All I want to achieve is the additional resilience provided by a replica which can both authorise and sign certificates in the event of a loss of the master server. I certainly don't want an entirely separate CA to be installed - my anticipation is that my replica will be able to become an intermediate authority - is that the intended arrangement for a replica?

Finally, do you hold out much hope that ipa-ca-install will work any better than --setup-ca flag I was attempting to get working for the replica install? If its the same code I would probably just end up with a half configured CA and have to rebuild my replica - something I would like to avoid repeating after the last couple of days!

On Thu, May 18, 2017 at 1:28 PM Martin Bašti <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:

    ipa-ca-install will install on top of FreeIPA CA-less replica,
    nothing else, you really don't want to do it manually.


    On 18.05.2017 14:12, Callum Guy wrote:
    Thanks Martin, really appreciate the additional information.

    Are you aware of a separate guide for installing DogTag/PKI on
    top of FreeIPA - basically I am happy to install separately if it
    doesn't compromise the FreeIPA server configuration, i'm not
    clear on whether this is possible without a major time investment.

    On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mba...@redhat.com
    <mailto:mba...@redhat.com>> wrote:


        Please note that commits in #6766 will not fix this issue,
        the issue is on dogtag side, please see
        https://pagure.io/dogtagpki/issue/2646

        Sorry for troubles


        On 18.05.2017 12:19, Callum Guy wrote:
        Haha, looks like i'm going CA-less for a while on the
        replica. I don't see any immediate requirement for one so
        time to get on with my life!

        I'll post back if anything changes but I'm probably stuck
        waiting for the upgrade too..

        On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman
        <data...@gmail.com <mailto:data...@gmail.com>> wrote:

            Sorry cobber. We only found 6766 today - we've been
            tackling it on and off for a couple of weeks :)

            ------
            "Mission Statement: To provide hope and inspiration for
            collective action, to build collective power, to achieve
            collective transformation, rooted in grief and rage but
            pointed towards vision and dreams."

             - Patrice Cullors, /Black Lives Matter founder/

            On 18 May 2017 at 19:53, Callum Guy
            <callum....@x-on.co.uk <mailto:callum....@x-on.co.uk>>
            wrote:

                Ah, thanks for that Lachlan - its always reassuring
                to hear that its not just me!

                As mentioned above I have it running without the CA
                so that's a good start. I am sure we will upgrade as
                well once 4.5 becomes stable and GA for CentOS. I'm
                not expecting that to happen quickly so will have to
                work with what we have for now.

                Do you happen to know if there is any way to build
                the CA component separately?

                On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman
                <data...@gmail.com <mailto:data...@gmail.com>> wrote:

                    https://pagure.io/freeipa/issue/6766

                    4.5.1 - I stand corrected. Can add more tomorrow.

                    ------
                    "Mission Statement: To provide hope and
                    inspiration for collective action, to build
                    collective power, to achieve collective
                    transformation, rooted in grief and rage but
                    pointed towards vision and dreams."

                     - Patrice Cullors, /Black Lives Matter founder/

                    On 18 May 2017 at 19:34, Lachlan Musicman
                    <data...@gmail.com <mailto:data...@gmail.com>>
                    wrote:

                        We are seeing this. I'm not at work, but I
                        think it's bug report 6766.

                        Patch has already been committed (bot by
                        us), we're waiting for IPA 4.5.

                        cheers
                        L.

                        ------
                        "Mission Statement: To provide hope and
                        inspiration for collective action, to build
                        collective power, to achieve collective
                        transformation, rooted in grief and rage but
                        pointed towards vision and dreams."

                         - Patrice Cullors, /Black Lives Matter founder/

                        On 18 May 2017 at 18:57, Callum Guy
                        <callum....@x-on.co.uk
                        <mailto:callum....@x-on.co.uk>> wrote:

                            Hi All,

                            I am currently stuck trying to setup the
                            first replica of our master IPA server.
                            I have tried a number of different
                            approaches including escalating from a
                            client and nothing is working for me. I
                            perform a full OS reset each time I get
                            stuck.

                            I'm running CentOS 7.2 with the FreeIPA
                            4.4.0 (rpm -q reports this version
                            however having performed
                            ipa-server-upgrade - does this mean i'm
                            on 4.4.4?).

                            The command is shown below - note that i
                            am skipping the conn check as my
                            platforms security settings do not allow
                            the SSH session to be established back
                            on the master, all ports should be
                            available to the application however.

                            [root@ipa2 ~]# ipa-replica-install
                            --ip-address=172.24.0.101 --setup-ca
                            --setup-dns --skip-conncheck
                            --no-forwarders SITE.net.gpg

                            Directory Manager (existing master)
                            password:

                            ipa   : ERROR  Could not resolve
                            hostname ipa2.SITE.net
                            <http://ipa2.SITE.net> usis check
                            queries IPA DNS directly and ignores
                            /etc/hosts.)
                            Continue? [no]: yes
                            Configuring NTP daemon (ntpd)
                              [1/4]: stopping ntpd
                              [2/4]: writing configuration
                              [3/4]: configuring ntpd to start on boot
                              [4/4]: starting ntpd
                            Done configuring NTP daemon (ntpd).
                            Configuring directory server (dirsrv).
                            Estimated time: 1 minute
                              [1/42]: creating directory server user
                              [2/42]: creating directory server instance
                              [3/42]: updating configuration in dse.ldif
                              [4/42]: restarting directory server
                              [5/42]: adding default schema
                              [6/42]: enabling memberof plugin
                              [7/42]: enabling winsync plugin
                              [8/42]: configuring replication
                            version plugin
                              [9/42]: enabling IPA enrollment plugin
                            [10/42]: enabling ldapi
                            [11/42]: configuring uniqueness plugin
                            [12/42]: configuring uuid plugin
                            [13/42]: configuring modrdn plugin
                            [14/42]: configuring DNS plugin
                            [15/42]: enabling entryUSN plugin
                            [16/42]: configuring lockout plugin
                            [17/42]: configuring topology plugin
                            [18/42]: creating indices
                            [19/42]: enabling referential integrity
                            plugin
                            [20/42]: configuring ssl for ds instance
                            [21/42]: configuring certmap.conf
                            [22/42]: configure autobind for root
                            [23/42]: configure new location for
                            managed entries
                            [24/42]: configure dirsrv ccache
                            [25/42]: enabling SASL mapping fallback
                            [26/42]: restarting directory server
                            [27/42]: setting up initial replication
                            Starting replication, please wait until
                            this has completed.
                            Update in progress, 4 seconds elapsed
                            Update succeeded

                            [28/42]: adding sasl mappings to the
                            directory
                            [29/42]: updating schema
                            [30/42]: setting Auto Member configuration
                            [31/42]: enabling S4U2Proxy delegation
                            [32/42]: importing CA certificates from LDAP
                            [33/42]: initializing group membership
                            [34/42]: adding master entry
                            [35/42]: initializing domain level
                            [36/42]: configuring Posix uid/gid
                            generation
                            [37/42]: adding replication acis
                            [38/42]: enabling compatibility plugin
                            [39/42]: activating sidgen plugin
                            [40/42]: activating extdom plugin
                            [41/42]: tuning directory server
                            [42/42]: configuring directory to start
                            on boot
                            Done configuring directory server (dirsrv).
                            Configuring certificate server
                            (pki-tomcatd). Estimated time: 3 minutes
                            30 seconds
                              [1/27]: creating certificate server user
                              [2/27]: configuring certificate server
                            instance
                              [3/27]: stopping certificate server
                            instance to update CS.cfg
                              [4/27]: backing up CS.cfg
                              [5/27]: disabling nonces
                              [6/27]: set up CRL publishing
                              [7/27]: enable PKIX certificate path
                            discovery and validation
                              [8/27]: starting certificate server
                            instance

                            And here is stays and refuses to move
                            on. The ipareplica-install.log log reports:
                            2017-05-18T08:40:07Z DEBUG
                            wait_for_open_ports: localhost [8080,
                            8443] timeout 300
                            2017-05-18T08:40:09Z DEBUG Waiting until
                            the CA is running
                            2017-05-18T08:40:09Z DEBUG request POST
                            http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
                            2017-05-18T08:40:09Z DEBUG request body ''

                            I have tried and that port is indeed
                            inaccessible but I can't establish a way
                            to progress this issue from any of the
                            the other log files. Also I have seen in
                            the 4.4.4 release notes that IPv6 being
                            disabled on the master can cause issues,
                            re-enabling (at least in /etc/hosts) did
                            not seem to help.

                            If anyone is able to offer ideas that
                            would be very much appreciated. I am
                            tempted to remove the --setup-ca option
                            to see if this helps.

                            Thanks,

                            Callum



                            *^0333 332 0000  | www.x-on.co.uk
                            <http://www.x-on.co.uk> |
                            _**_^<https://www.linkedin.com/company/x-on>
                            <https://www.facebook.com/XonTel>
                            <https://twitter.com/xonuk> *
                            X-on is a trading name of Storacall
                            Technology Ltd a limited company
                            registered in England and Wales.
                            Registered Office : Avaland House, 110
                            London Road, Apsley, Hemel Hempstead,
                            Herts, HP3 9SD. Company Registration No.
                            2578478.
                            The information in this e-mail is
                            confidential and for use by the
                            addressee(s) only. If you are not the
                            intended recipient, please notify X-on
                            immediately on +44(0)333 332 0000
                            <tel:+44%20333%20332%200000> and delete the
                            message from your computer. If you are
                            not a named addressee you must not use,
                            disclose, disseminate, distribute, copy,
                            print or reply to this email. Views or
                            opinions expressed by an individual
                            within this email may not necessarily
                            reflect the views of X-on or its
                            associated companies. Although X-on
                            routinely screens for viruses,
                            addressees should scan this email and
                            any attachments
                            for viruses. X-on makes no
                            representation or warranty as to the
                            absence of viruses in this email or any
                            attachments.


                            --
                            Manage your subscription for the
                            Freeipa-users mailing list:
                            
https://www.redhat.com/mailman/listinfo/freeipa-users
                            Go to http://freeipa.org for more info
                            on the project





                *^0333 332 0000  | www.x-on.co.uk
                <http://www.x-on.co.uk> |
                _**_^<https://www.linkedin.com/company/x-on>
                <https://www.facebook.com/XonTel>
                <https://twitter.com/xonuk> *
                X-on is a trading name of Storacall Technology Ltd a
                limited company registered in England and Wales.
                Registered Office : Avaland House, 110 London Road,
                Apsley, Hemel Hempstead, Herts, HP3 9SD. Company
                Registration No. 2578478.
                The information in this e-mail is confidential and
                for use by the addressee(s) only. If you are not the
                intended recipient, please notify X-on immediately
                on +44(0)333 332 0000 <tel:+44%20333%20332%200000>
                and delete the
                message from your computer. If you are not a named
                addressee you must not use, disclose, disseminate,
                distribute, copy, print or reply to this email.
                Views or opinions expressed by an individual
                within this email may not necessarily reflect the
                views of X-on or its associated companies. Although
                X-on routinely screens for viruses, addressees
                should scan this email and any attachments
                for viruses. X-on makes no representation or
                warranty as to the absence of viruses in this email
                or any attachments.




        *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk> |
        _**_^<https://www.linkedin.com/company/x-on>
        <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
        X-on is a trading name of Storacall Technology Ltd a limited
        company registered in England and Wales.
        Registered Office : Avaland House, 110 London Road, Apsley,
        Hemel Hempstead, Herts, HP3 9SD. Company Registration No.
        2578478.
        The information in this e-mail is confidential and for use
        by the addressee(s) only. If you are not the intended
        recipient, please notify X-on immediately on +44(0)333 332
        0000 <tel:+44%20333%20332%200000> and delete the
        message from your computer. If you are not a named addressee
        you must not use, disclose, disseminate, distribute, copy,
        print or reply to this email. Views or opinions expressed by
        an individual
        within this email may not necessarily reflect the views of
        X-on or its associated companies. Although X-on routinely
        screens for viruses, addressees should scan this email and
        any attachments
        for viruses. X-on makes no representation or warranty as to
        the absence of viruses in this email or any attachments.




-- Martin Bašti
        Software Engineer
        Red Hat Czech



    *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk>  |
    _**_^<https://www.linkedin.com/company/x-on>
    <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
    X-on is a trading name of Storacall Technology Ltd a limited
    company registered in England and Wales.
    Registered Office : Avaland House, 110 London Road, Apsley, Hemel
    Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
    The information in this e-mail is confidential and for use by the
    addressee(s) only. If you are not the intended recipient, please
    notify X-on immediately on +44(0)333 332 0000
    <tel:+44%20333%20332%200000> and delete the
    message from your computer. If you are not a named addressee you
    must not use, disclose, disseminate, distribute, copy, print or
    reply to this email. Views or opinions expressed by an individual
    within this email may not necessarily reflect the views of X-on
    or its associated companies. Although X-on routinely screens for
    viruses, addressees should scan this email and any attachments
    for viruses. X-on makes no representation or warranty as to the
    absence of viruses in this email or any attachments.


-- Martin Bašti
    Software Engineer
    Red Hat Czech



*^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | _**_^<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.


--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to