[Freeipa-users] How to rebuild IPA master?
Stephen Gallagher
sgallagh at redhat.com
Thu May 10 00:31:23 UTC 2012
On Thu, 2012-05-10 at 00:24 +0000, Steven Jones wrote:
> Hi,
>
> In case everyone else is asleep now......
>
> Do you have access to RH documentation? the 6.3beta admin guide
> section 18.8 talks about why and how to make a replicate a master.
The problem seems to be that David had only a single server providing
the dogtag CA, and that was the machine that died.
>
> I've a IPA master/replica setup in our development environment.
> Unfortunately our IPA master crashed, the replica is working fine. Now
> I have the IPA master re-imaged.
>
>
> What are the steps I have to follow to re-create the IPA master from
> running IPA replica? Before crash the IPA master ran dogtag
> certificate system, while the IPA replica didn't -- created normally
> without the --setup-ca option.
You'll have to check with the FreeIPA/Dogtag dev team (I'm a client-side
guy, so I don't have all the data here), but you're probably not going
to be in good shape. If you kept a separate backup of the private root
certificate for the CA, you may be able to stand up a new CA instance
and then issue new signed certs from the restored private root cert.
Otherwise, you're probably in trouble.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120509/8377f1a6/attachment.sig>
More information about the Freeipa-users
mailing list