Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master
Hi, I have updated http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master with information for IPA 4.0+. Honza Dne 15.1.2015 v 17:46 Rui Gomes napsal(a): Hello Rob, Thank you for the quick reply, I will give it a go, I wasn't sure if the links would work since most the of configuration for the dogtag in centos7 is different and commands like: getcert list -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca | grep post-save Do not apply, I will try to accommodate for the difference in versions, I might bug you guys again :) Regards Rui Gomes - Original Message - From: Rob Crittenden rcrit...@redhat.com To: Rui Gomes rgo...@rvx.is, freeipa-users@redhat.com Sent: Thursday, 15 January, 2015 16:20:46 Subject: Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master Rui Gomes wrote: Hello Guys, I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. I tried: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? Regards Rui Gomes Every server in IPA is a master, the only distinction being whether it has a CA installed or not, and to a lesser extend DNS (all masters have the data, some may just not run the service). So if you have a master with a CA then you have a full IPA master. The only thing that distinguishes one master from another is due to order of installation due to two things that should only be done on one master: generate the CRL and handle CA subsysutem certificate renewal. The first IPA master installed is given these duties. To switch the CRL generator use the first link. The page is going to be updated soon to reflect how renewal should be handled on 4.0+ servers. The renewal master is now stored in LDAP so switching it is a lot easier. rob -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master
Rui Gomes wrote: Hello Guys, I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. I tried: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? Regards Rui Gomes Every server in IPA is a master, the only distinction being whether it has a CA installed or not, and to a lesser extend DNS (all masters have the data, some may just not run the service). So if you have a master with a CA then you have a full IPA master. The only thing that distinguishes one master from another is due to order of installation due to two things that should only be done on one master: generate the CRL and handle CA subsysutem certificate renewal. The first IPA master installed is given these duties. To switch the CRL generator use the first link. The page is going to be updated soon to reflect how renewal should be handled on 4.0+ servers. The renewal master is now stored in LDAP so switching it is a lot easier. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master
Hello Guys, I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. I tried: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? Regards Rui Gomes -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master
Hello Rob, Thank you for the quick reply, I will give it a go, I wasn't sure if the links would work since most the of configuration for the dogtag in centos7 is different and commands like: getcert list -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca | grep post-save Do not apply, I will try to accommodate for the difference in versions, I might bug you guys again :) Regards Rui Gomes - Original Message - From: Rob Crittenden rcrit...@redhat.com To: Rui Gomes rgo...@rvx.is, freeipa-users@redhat.com Sent: Thursday, 15 January, 2015 16:20:46 Subject: Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master Rui Gomes wrote: Hello Guys, I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. I tried: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? Regards Rui Gomes Every server in IPA is a master, the only distinction being whether it has a CA installed or not, and to a lesser extend DNS (all masters have the data, some may just not run the service). So if you have a master with a CA then you have a full IPA master. The only thing that distinguishes one master from another is due to order of installation due to two things that should only be done on one master: generate the CRL and handle CA subsysutem certificate renewal. The first IPA master installed is given these duties. To switch the CRL generator use the first link. The page is going to be updated soon to reflect how renewal should be handled on 4.0+ servers. The renewal master is now stored in LDAP so switching it is a lot easier. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
