[Freeipa-users] How to promote 2.2.0 replica(installed with --setup-ca) to primary master?

James Hogarth james.hogarth at gmail.com
Wed Jun 13 14:27:10 UTC 2012


>
> But in short the only thing to do is change the CRL generator per those
> instructions. It is otherwise already a full CA. If none or all of them are
> generating a CRL it isn't the end of the world either way, you could just
> end up with slightly different CRLs on different masters which can be
> confusing.
>

Really trying to get to the bottom of this....

I've just installed FreeIPA 2.2 on Fedora 17 ....

So far as I can see the first system immediately after being built
does not have the following lines discussed in the 'promote replica'
documentation in CS.cfg:
ca.certStatusUpdateInterval
ca.listenToCloneModifications

Grabbing the info from the internal dogtag system for the first built
system shows:
PKI Subsystem Type:  Root CA (Security Domain)

After having installed the second system there is no change in the
first system....

The second system is identical to the first for the given parameters
mentioned in the docs....

Grabbing the info from the internal dogtag system for the second built
system shows:
PKI Subsystem Type:  CA Clone (Security Domain)

This appears to completely differ form the docs on a default install -
to the extent described parameters in CS.cfg don't even exist.....

Finally I decided to mimic a complete failure of the first system and
and consequences thereof.....

Installing a third system and using the second for ipa-replica-prepare
all seemed to build cleanly....

After it was installed both systems apparently were clones according
to the internal dogtag info - but replication seemed fine and both
appeared to be generating CRLs.....

The replication was as one would expect - system2 had agreements with
systems 1 and 3 ... and system 3 only knew of system 1...

Built a client to register against these next....

The client was able to use ipa-client to join this domain...

Next httpd was installed on this client....

Using the normal methods (ipa service-add, ipa-getcert, ipa-getkeytab)
the httpd instance was configured fine with an HTTP service keytab and
SSL certificate being monitored via certmonger....

The only think I can get out of these diagnostics is that the whole
'ROOT' thing only on the first doesn't appear to matter since
certificates could still be generated and all instances appeared to be
generating CRLs.....

Sorry for the wordiness but wanted to get all my steps and checks down
for reference purposes....

Hope this helps out the next person who wonders about the whole
'promote' thing in the IPA documentation - it doesn't actually seem to
apply in the slightest for a full Dogtag multimaster integrated
setup....

Regards,

James




More information about the Freeipa-users mailing list