Re: [Freeipa-users] lost master master and soa

2017-02-13 Thread Martin Babinsky 

On 02/13/2017 10:12 PM, Aaron Young wrote:

hello

So, I recently took over this site and a couple days into it, the first
ipa server died because of disk corruption.

Right now, I've built another ipa server to step into the topology as a
replica, but I keep getting strange dns errors during update

Looking at it closer, it appears that when nsupdate runs, it fails updating

looking closer, I notice that the SOA comes back with the name of the
missing server

So, it seems like I should change that. So far I've been unable to

I get messages back from nsupdate like

"response to SOA query was unsuccessful"

I'm not sure what information I should send to help with this

My main question is, is there a way to force the change of the SOA?

aaron
--
Aaron Young
MarketFactory, Manager of Site Reliability Engineering
425 Broadway, 3FL
New  York, NY 10013
Office: +1 212 625 9988
Direct +1 646 779 3710
US Support: +1 (212) 625-0688  | UK
Support: +44 (0) 203 695-7997 




Hi Aaron,

there may be some stale NS record on other IPA masters which serve your 
DNS zone. you can verify this by running:


# ipa dnsrecord-show  @

and check the list of nameservers returned.

To remove the record of the old master run

# ipa dnsrecord-del   @ --ns-rec 

Also, make sure you cleaned up old agreements, services, etc. of the old 
master by running `ipa-replica-manage del --force --cleanup 
` on some other IPA master.


You will also probably have to stand-up a new CA renewal/CRL master[1] 
on one of remaining replicas if the first server died and you have CA 
configured.


[1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Hope this helps

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-13 Thread Sullivan, Daniel [CRI] 
Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert only 
(disclaimer: I’ve never done this).

Dan

> On Feb 13, 2017, at 4:08 PM, Matt .  wrote:
> 
> Hi Guys,
> 
> I'm trying to install a 3rd party certificate using:
> 
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
> 
> When I run the install command for the certificate itself:
> 
> ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
> Directory Manager password:
> 
> Enter private key unlock password:
> 
> list index out of range
> The ipa-server-certinstall command failed.
> 
> 
> If I do a #ipa-certupdate the Server-Cert is removed from
> /etc/httpd/alias and the install fails because of this.
> 
> What can I do to solve this ?
> 
> Thanks,
> 
> Matt
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cannot install 3rd party certificate

2017-02-13 Thread Matt . 
Hi Guys,

I'm trying to install a 3rd party certificate using:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.


If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] lost master master and soa

2017-02-13 Thread Aaron Young 
hello

So, I recently took over this site and a couple days into it, the first ipa
server died because of disk corruption.

Right now, I've built another ipa server to step into the topology as a
replica, but I keep getting strange dns errors during update

Looking at it closer, it appears that when nsupdate runs, it fails updating

looking closer, I notice that the SOA comes back with the name of the
missing server

So, it seems like I should change that. So far I've been unable to

I get messages back from nsupdate like

"response to SOA query was unsuccessful"

I'm not sure what information I should send to help with this

My main question is, is there a way to force the change of the SOA?

aaron
-- 
Aaron Young
MarketFactory, Manager of Site Reliability Engineering
425 Broadway, 3FL
New  York, NY 10013
Office: +1 212 625 9988
Direct +1 646 779 3710
US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project