Re: [Freeipa-users] How to restore IPA Master/Replicas
Steven Jones wrote: Hi, Yes I think they are what I put in subversion, basically between satellite and the files below in subversion I should be able to build a complete basic IPA server RHEL6.2 machinethe "interesting" bit is getting my master IPA instance back. = [root@vuwunicoipam001 scripts]# pwd /home/jonesst1/subversion/vuwunicoipam001-ods/scripts [root@vuwunicoipam001 scripts]# ls -l total 32 -rw-rw-r--. 1 jonesst1 jonesst1 1696 Mar 19 16:04 cacert.p12 drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 19 16:04 etc -rw-rw-r--. 1 jonesst1 jonesst1 206 Mar 19 16:04 nat-fw-down -rw-rw-r--. 1 jonesst1 jonesst1 7171 Mar 19 16:07 nat-fw-up drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 20 13:39 packages -rw-rw-r--. 1 jonesst1 jonesst1 40 Mar 19 16:04 pwdfile.txt -rwxrwxr-x. 1 jonesst1 jonesst1 3524 Mar 19 16:04 zzbuild [root@vuwunicoipam001 scripts]# That should be all you need then, that cacert.p12. The token password should be the same as the Apache db password. You can import it using pk12util -i ... as documented. Then you'll need to create a serial number file. If you don't have the old one you can create a new one, you just want to be sure to set the starting value at something that hasn't already been issued. Re-issuing certs with duplicate serial numbers is not very nice. We start at 1000, you can pick any number sufficiently higher. To get a ballpark figure you might try something like (this should work in 2.1.x, I tested it in 2.2.0): ipa service-find --sizelimit=1 |grep -i serial ipa host-find --sizelimit=1 | grep -i serial That should show the serial numbers in use assuming you have less than 10k hosts and services. Should put in the ballpark in any case. The format looks like: [selfsign] nextreplica = 50 replicainterval = 50 lastvalue = 1022 Only lastvalue is used, BTW. For permissions, /var/lib/ipa/ca_serialno should be root:apache mode 0664. You should probably run restorecon on it too. To see if things are working you'll want to try to issue a cert. rob = regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 23 May 2012 9:43 a.m. To: Steven Jones Cc:; Deon Lackey Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas Steven Jones wrote: From the 18.8.2 section point 2, "[root@ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/ dirsrv/slapd-EXAMPLE-COM" the -o option is the one below? [root@vuwunicoipam001 ~]# find /etc/ -name cacert* /etc/httpd/alias/cacert.p12 ? I think an explanation of what Im meant to be looking for might help... You're using a self-signed CA? The -o is what you defined as /path/to/cacert.p12. It is wherever you want to store the file. This documentation is incorrect though, I thought I had filed a bug on this already. In a self-signed CA the root certificate is in /etc/httpd/alias and not in a 389-ds instance at all. So for step 2 you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias. What this is doing is creating a file to transport the self-signed CA private keys and certificate securely from one location to another. This is assuming the original master is around. If it is then you can do this. If not then you saved /root/cacert.p12 from the initial install, right? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 23 May 2012 8:11 a.m. Cc: Subject: [Freeipa-users] How to restore IPA Master/Replicas Hi, My master is it seems dead and has been for a week, RH supprt cannot recover it.so I need to move on and rebuild it.first it looks like I need to promote my replica to be the master. Do we have any good docs/procedures for the above? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to restore IPA Master/Replicas
Hi, Yes I think they are what I put in subversion, basically between satellite and the files below in subversion I should be able to build a complete basic IPA server RHEL6.2 machinethe "interesting" bit is getting my master IPA instance back. = [root@vuwunicoipam001 scripts]# pwd /home/jonesst1/subversion/vuwunicoipam001-ods/scripts [root@vuwunicoipam001 scripts]# ls -l total 32 -rw-rw-r--. 1 jonesst1 jonesst1 1696 Mar 19 16:04 cacert.p12 drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 19 16:04 etc -rw-rw-r--. 1 jonesst1 jonesst1 206 Mar 19 16:04 nat-fw-down -rw-rw-r--. 1 jonesst1 jonesst1 7171 Mar 19 16:07 nat-fw-up drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 20 13:39 packages -rw-rw-r--. 1 jonesst1 jonesst1 40 Mar 19 16:04 pwdfile.txt -rwxrwxr-x. 1 jonesst1 jonesst1 3524 Mar 19 16:04 zzbuild [root@vuwunicoipam001 scripts]# = regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 23 May 2012 9:43 a.m. To: Steven Jones Cc: ; Deon Lackey Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas Steven Jones wrote: >> From the 18.8.2 section point 2, > > "[root@ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" > -d /etc/ > dirsrv/slapd-EXAMPLE-COM" > > the -o option is the one below? > > [root@vuwunicoipam001 ~]# find /etc/ -name cacert* > /etc/httpd/alias/cacert.p12 > > ? > > I think an explanation of what Im meant to be looking for might help... You're using a self-signed CA? The -o is what you defined as /path/to/cacert.p12. It is wherever you want to store the file. This documentation is incorrect though, I thought I had filed a bug on this already. In a self-signed CA the root certificate is in /etc/httpd/alias and not in a 389-ds instance at all. So for step 2 you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias. What this is doing is creating a file to transport the self-signed CA private keys and certificate securely from one location to another. This is assuming the original master is around. If it is then you can do this. If not then you saved /root/cacert.p12 from the initial install, right? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Steven Jones [steven.jo...@vuw.ac.nz] > Sent: Wednesday, 23 May 2012 8:11 a.m. > Cc: > Subject: [Freeipa-users] How to restore IPA Master/Replicas > > Hi, > > My master is it seems dead and has been for a week, RH supprt cannot recover > it.so I need to move on and rebuild it.first it looks like I need to > promote my replica to be the master. > > Do we have any good docs/procedures for the above? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to restore IPA Master/Replicas
Steven Jones wrote: From the 18.8.2 section point 2, "[root@ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/ dirsrv/slapd-EXAMPLE-COM" the -o option is the one below? [root@vuwunicoipam001 ~]# find /etc/ -name cacert* /etc/httpd/alias/cacert.p12 ? I think an explanation of what Im meant to be looking for might help... You're using a self-signed CA? The -o is what you defined as /path/to/cacert.p12. It is wherever you want to store the file. This documentation is incorrect though, I thought I had filed a bug on this already. In a self-signed CA the root certificate is in /etc/httpd/alias and not in a 389-ds instance at all. So for step 2 you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias. What this is doing is creating a file to transport the self-signed CA private keys and certificate securely from one location to another. This is assuming the original master is around. If it is then you can do this. If not then you saved /root/cacert.p12 from the initial install, right? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 23 May 2012 8:11 a.m. Cc: Subject: [Freeipa-users] How to restore IPA Master/Replicas Hi, My master is it seems dead and has been for a week, RH supprt cannot recover it.so I need to move on and rebuild it.first it looks like I need to promote my replica to be the master. Do we have any good docs/procedures for the above? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to restore IPA Master/Replicas
[root@vuwunicoipam001 ~]# pk12util -o /etc/httpd/alias/cacert.p12 -n "ODS.VUW.AC.NZ IPA CA" -d /etc/dirsrv/slapd-ODS-VUW-AC-NZ/ Enter Password or Pin for "NSS Certificate DB": I tried the directory manager password and the admin password and a blank. keeps asking...no idea what it is... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 23 May 2012 9:04 a.m. Cc: Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas >From the 18.8.2 section point 2, "[root@ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/ dirsrv/slapd-EXAMPLE-COM" the -o option is the one below? [root@vuwunicoipam001 ~]# find /etc/ -name cacert* /etc/httpd/alias/cacert.p12 ? I think an explanation of what Im meant to be looking for might help... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 23 May 2012 8:11 a.m. Cc: Subject: [Freeipa-users] How to restore IPA Master/Replicas Hi, My master is it seems dead and has been for a week, RH supprt cannot recover it.so I need to move on and rebuild it.first it looks like I need to promote my replica to be the master. Do we have any good docs/procedures for the above? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to restore IPA Master/Replicas
>From the 18.8.2 section point 2, "[root@ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/ dirsrv/slapd-EXAMPLE-COM" the -o option is the one below? [root@vuwunicoipam001 ~]# find /etc/ -name cacert* /etc/httpd/alias/cacert.p12 ? I think an explanation of what Im meant to be looking for might help... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 23 May 2012 8:11 a.m. Cc: Subject: [Freeipa-users] How to restore IPA Master/Replicas Hi, My master is it seems dead and has been for a week, RH supprt cannot recover it.so I need to move on and rebuild it.first it looks like I need to promote my replica to be the master. Do we have any good docs/procedures for the above? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How to restore IPA Master/Replicas
Hi, My master is it seems dead and has been for a week, RH supprt cannot recover it.so I need to move on and rebuild it.first it looks like I need to promote my replica to be the master. Do we have any good docs/procedures for the above? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users