[Freeipa-devel] Running ipa-replica-prepare on a replica
Petr Viktorin
pviktori at redhat.com
Mon Jul 14 15:22:54 UTC 2014
Hello,
On 07/11/2014 08:17 AM, James wrote:
> I installed IPA on host A, did a replica prepare, and then installed
> it on host B.
>
> Running ipa-replica-prepare on B yield this error:
>
>> A selfsign CA backend can only prepare on the original master
>
> This error doesn't seem to be in the current git master anymore. Has
> this limitation been removed?
Not really: the selfsign functionality itself was removed.
See: http://www.freeipa.org/page/V3/Drop_selfsign_functionality
> Can someone explain if you can "ipa-replica-prepare" from any new
> master, and starting at what version please? Assume I installed the
> first host with --selfsign.
Unfortunately, you can't.
Self-signed CAs were not capable of replication, and replica files need
to be created on a host with CA (unless using the CA-less feature in IPA
3.2+). So, in a selfsign install, only the original master could create
replicas.
> I'm particularly interested in understanding why or why not you can do
> this (or couldn't do this).
Selfsign was was never suitable for production. It was useful for
developers while Dogtag wasn't ready yet, but it never got beyond being
a proof of concept.
Unfortunately it had a very tempting name, and we didn't communicate
enough that it's something you don't want to use.
Apologies for that.
--
Petr³
More information about the Freeipa-devel
mailing list