[Freeipa-users] Please help: Re: How to rebuild IPA master?

Rob Crittenden rcritten at redhat.com
Thu May 10 20:50:42 UTC 2012 

David Copperfield wrote:
> Hi Petr and all,
>
> All the chapter your have pointed out is read many times, but that
> doesn't help at all.
>
> My problem is: the Dogtag system ran on the IPA master ONLY before the
> IPA Master crashes. Now I have to do the following:
>
> 1, install and run Dogtag system on IPA replica -- the document
> mentioned it -- 'ipa-ca-install' and etc.
>
> 2, promote the IPA replica into new IPA Master -- document mentioned it
> but not clear -- regarding the /root/cacert.p12 key file and the replica
> file under /var/lib/ipa.
>
> 3, how to recover the dogtag systems' data (different LDAP backend)
> existed on the IPA master before it crashes?
>
> Other close questions include:
>
> what are included in the replica definition file
> /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the
> signing key and how to open the .gpg file?

# gpg -d /path/to/replica.gpg | tar xf -

The password is the Directory Manager password.

You have limited options since your CA was a single point of failure and 
it failed. The root CA private keys should be in the replica file so 
there may be ways to recover, all of them will require significant 
manual effort.

We have no way to add a new CA to an existing IPA installation outside 
of ipa-ca-install so we'll need to give that some thought. I think the 
simplest way to fix this is to create a new CA as a subordinate of the 
original one. The existing certs should still be trusted (except for the 
agent cert) so mass rekeying won't be necessary.

Another option is to install a new CA and try to replace key with the 
original. We'd need to think long-term about this effort and you'd want 
to renew all issued certificates so they will be revokable.

rob


>
> Thanks.
>
> --David
>
> ------------------------------------------------------------------------
> *From:* Petr Spacek <pspacek at redhat.com>
> *To:* freeipa-users at redhat.com
> *Sent:* Thursday, May 10, 2012 2:45 AM
> *Subject:* Re: [Freeipa-users] How to rebuild IPA master?
>
> On 05/10/2012 02:24 AM, Steven Jones wrote:
>  > Hi,
>  >
>  > In case everyone else is asleep now......
>  >
>  > Do you have access to RH documentation? the 6.3beta admin guide
> section 18.8
>  > talks about why and how to make a replicate a master.
>
> Just for completeness:
> Documentation is publicly available: http://docs.redhat.com/
>
> Documentation for IPA beta:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html
>
> Documentation for latest stable IPA:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
>
>  >
>  > eg.,
>  >
>  > "NOTE
>  > All servers and replicas which host a CA are peers in the topology.
> They can
>  > all issue certificates
>  > and keys to IPA clients, and they all replicate information amongst
> themselves.
>  > The only reason to promote a replica or server to be a master server
> is if the
>  > master server is
>  > being taken offline. There has to be a root CA which can issue CRLs and
>  > ultimately validate
>  > certificate checks.
>  > Aside from that, replicas, servers, and the master server are all
> equal peers."
>  >
>  > regards
>  >
>  > Steven Jones
>  >
>  > Technical Specialist - Linux RHCE
>  >
>  > Victoria University, Wellington, NZ
>  >
>  > 0064 4 463 6272
>  >
>  >
> ------------------------------------------------------------------------------
>  > *From:* freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>] on
>  > behalf of David Copperfield [cao2dan at yahoo.com
> <mailto:cao2dan at yahoo.com>]
>  > *Sent:* Thursday, 10 May 2012 11:04 a.m.
>  > *To:* Rob Crittenden; Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
>  > *Subject:* [Freeipa-users] How to rebuild IPA master?
>  >
>  > Hi all,
>  >
>  > I've a IPA master/replica setup in our development environment.
> Unfortunately
>  > our IPA master crashed, the replica is working fine. Now I have the
> IPA master
>  > re-imaged.
>  >
>  > What are the steps I have to follow to re-create the IPA master from
> running
>  > IPA replica? Before crash the IPA master ran dogtag certificate
> system, while
>  > the IPA replica didn't -- created normally without the --setup-ca option.
>  >
>  > Thanks.
>  >
>  > --David
>  >
>  >
>  > _______________________________________________
>  > Freeipa-users mailing list
>  > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>  > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list