<div dir="ltr">A bit of googling has led me to understand that we must have created the original server with --selfsign, and that locked us into something bad which is now causing us problems. I'm not sure how this happened, since we actually created our original instance on a different server, created ipamaster as a replica of that one, then ran ipa-ca-install on ipamaster to make it the new CA. How did it end up in this state?<div>
<br></div><div>Anyway, is there ANY way around this? Can I simply ignore this, break the replication agreement as Simo suggested, rebuild ipamaster, replicate ipamaster2 to the new ipamaster, and then somehow make ipamaster be a CA using Dogtag? Will that screw up all the clients?</div>
</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br></div><div><u><br></u></div><div><b>Bret Wortman</b></div><div><img src="http://damascusgrp.com/item/51f7de33e4b08d2bdb8b4860?format=1500w" width="200" height="53"><br>
</div><div><a href="http://damascusgrp.com/" target="_blank">http://damascusgrp.com/</a><br></div><div><a href="http://about.me/wortmanbret" target="_blank">http://about.me/wortmanbret</a><br></div></div></div>
<br><br><div class="gmail_quote">On Thu, Aug 29, 2013 at 9:24 AM, Bret Wortman <span dir="ltr"><<a href="mailto:bret.wortman@damascusgrp.com" target="_blank">bret.wortman@damascusgrp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Agreed, but not always possible. I had a replica crash hard and it wasn't possible to remove it.<div><br></div><div>In other news:</div><div><br></div><div><font face="courier new, monospace">[ipamaster2]# ipa-ca-install replica-info-ipamaster2.spx.net.gpg</font></div>
<div><font face="courier new, monospace">A selfsign CA can not be added</font></div><div><br></div><div>Is there a way around this? How can I ensure that I can transfer the CA back to ipamaster after it's been erased & reinstalled?</div>
</div><div class="gmail_extra"><div class="im"><br clear="all"><div><div dir="ltr"><div><br></div><div><u><br></u></div><div><b>Bret Wortman</b></div><div><img src="http://damascusgrp.com/item/51f7de33e4b08d2bdb8b4860?format=1500w" width="200" height="53"><br>
</div><div><a href="http://damascusgrp.com/" target="_blank">http://damascusgrp.com/</a><br></div><div><a href="http://about.me/wortmanbret" target="_blank">http://about.me/wortmanbret</a><br></div></div></div>
<br><br></div><div><div class="h5"><div class="gmail_quote">On Thu, Aug 29, 2013 at 9:21 AM, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote:<br>
> On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce <<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>> wrote:<br>
> On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:<br>
> > Okay, I have a replica built and running. My original,<br>
> "sick" server<br>
> > is ipamaster and the new one is ipamaster2. All I've done<br>
> thus far on<br>
> > ipamaster2 is run ipa-replica-install --setup-dns<br>
> --no-forwarders<br>
> > replica-info-ipamaster2.foo.net.gpg.<br>
> ><br>
> ><br>
> > What additional steps do I need to take to ensure that the<br>
> process of<br>
> > shutting down ipamaster, wiping it out, building it up fresh<br>
> and then<br>
> > replicating ipamaster2 back to ipamaster and making<br>
> ipamaster again<br>
> > the center of the universe and my certificate authority work<br>
> > correctly, cleanly, and with minimal fuss? Given the mess I<br>
> got our<br>
> > servers already, I figured I should ask before I start<br>
> messing about<br>
> > today.<br>
> ><br>
> ><br>
> > I think the process should look something like this (I don't<br>
> want you<br>
> > all thinking I'm looking for someone to do all my thinking<br>
> for me):<br>
> ><br>
> ><br>
> > 1. Take snapshot of ipamaster (just in case)<br>
> > 2. [ipamaster2]#<br>
> ><br>
> ipa-ca-install /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg (I<br>
> > should've done this during the ipa-ca-install, but since the<br>
> ca step<br>
> > is so rare, I didn't have it in my wiki notes).<br>
> > 3. [ipamaster]# reboot<br>
> ><br>
> ><br>
> > This reboot will trigger a Cobbler & Puppet-based wipe of<br>
> the system<br>
> > and reinstallation of F18 and freeipa-server. While that's<br>
> going on:<br>
> ><br>
> ><br>
> > 4. [ipamaster2]# ipa-replica-prepare <a href="http://ipamaster.foo.net" target="_blank">ipamaster.foo.net</a><br>
> 1.2.3.4<br>
><br>
><br>
> You need to use ipa-replica-manage to remove the original<br>
> ipamaster<br>
> before you can prepare to add a new one.<br>
><br>
> After it is fully removed and replica file generated you need<br>
> to restart<br>
> at yleast 389ds on ipamaster2 this is due to the fact that DS<br>
> does nto<br>
> purge valid tickets, and it holds a ticket valid for the old<br>
> ipamaster,<br>
> however when you reinstall the new the name will match so<br>
> replication<br>
> between ipamaster2 -> ipamaster may fail because ipamsater2<br>
> has a wrong<br>
> ticket (using old key you just nuked before the reinstall).<br>
> ><br>
><br>
><br>
><br>
> Got it. Glad I asked! I'll add these steps to my procedure.<br>
><br>
> > When ipamaster is back up:<br>
> ><br>
> ><br>
> > 5. [ipamaster]# cd /var/lib/ipa && scp<br>
><br>
><br>
> You can copy in /root<br>
><br>
><br>
> I usually do it in /var/lib/ipa I guess because that's where the<br>
> server puts the file, so it makes it easy for me to remember that's<br>
> where it is. But point taken.<br>
><br>
> ><br>
> ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg .<br>
> > 6. [ipamaster]# ipa-replica-install --setup-dns<br>
> --no-forwarders<br>
> > --setup-ca replica-info-ipamaster.foo.net.gpg<br>
> ><br>
> ><br>
> > Usually, there's some reason I need to go back to ipamaster2<br>
> and<br>
> > either delete a dns entry or ipa host-del the system.<br>
><br>
><br>
> Uh ? Sound like this is going to screw up things, why should<br>
> you delete<br>
> DNS entries ?<br>
> ipa host-del of a master is *certainly* going to break<br>
> replication and<br>
> basically everything. Is this what you did in your old setup ?<br>
><br>
><br>
> Only if ipa-replica-install said I needed to.<br>
<br>
</div></div>ok this means you previously uninstalled a replica directly on the<br>
machine but tdid not remove it from the domain, this is bad practice.<br>
you should use ipa-replica-manage before you retire a machine if<br>
possible, otherwise you leave dangling replication agreements, DNS<br>
names, ID ranges (this means you loose ID space), and keys.<br>
<div><div><br>
> > After the replica install is done:<br>
> ><br>
> ><br>
> > 7. Shut down and delete the ipamaster2 VM.<br>
><br>
><br>
> Do not forget to ipa-replica-manage remove it first.<br>
><br>
><br>
> Awesome. This is why I asked.<br>
><br>
> > 8. Upgrade existing "replicas" to F18 and latest IPA<br>
> version.<br>
> > 9. Establish replication agreements with now-functioning<br>
> ipamaster.<br>
> ><br>
> ><br>
> > Does that sound right?<br>
> ><br>
> ><br>
><br>
> See above.<br>
><br>
> Simo.<br>
><br>
><br>
> --<br>
> Simo Sorce * Red Hat, Inc * New York<br>
><br>
><br>
><br>
<br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>