[Freeipa-users] Please help: Re: How to rebuild IPA master?
Dmitri Pal
dpal at redhat.com
Sun May 13 18:21:25 UTC 2012
On 05/10/2012 05:42 PM, Ade Lee wrote:
> David,
>
> The simplest solution may be as Rob suggests - which is to create a new
> CA as a subordinate of the old.
>
> The other solution would be doable but would require a few more manual
> steps. That is, you could:
> 1. install a new ca
> 2. switch out the certs in that ca with the ones in your gpg file. The
> certificate database is in /var/lib/pki-ca/alias
> 3. There may be some manual changes required in /etc/pki-ca/CS.cfg, but
> as the nicknames should be the same, you might be ok.
> 4. If you go this route, you probably want to change the lower point of
> the serial number ranges used for certs/ requests in CS.cfg to not reuse
> serial numbers for certs you have already issued.
> 4. Switch out the ipa agent cert/keys in the IPA cert database.
>
> You will run into problems later though because you have lost the data
> in the dogtag database.
>
> In particular, because the renewal process uses the original requests
> (which are stored in the dogtag database), you will likely be unable to
> renew the certs you have already issued unless you rekey those certs.
>
> That may be OK for most certs, but you may not want to do that for the
> CA signing cert. In that case, you will likely need to instrument
> something to reconstruct the original request.
>
https://fedorahosted.org/freeipa/ticket/2749
> Ade
> On Thu, 2012-05-10 at 16:50 -0400, Rob Crittenden wrote:
>> David Copperfield wrote:
>>> Hi Petr and all,
>>>
>>> All the chapter your have pointed out is read many times, but that
>>> doesn't help at all.
>>>
>>> My problem is: the Dogtag system ran on the IPA master ONLY before the
>>> IPA Master crashes. Now I have to do the following:
>>>
>>> 1, install and run Dogtag system on IPA replica -- the document
>>> mentioned it -- 'ipa-ca-install' and etc.
>>>
>>> 2, promote the IPA replica into new IPA Master -- document mentioned it
>>> but not clear -- regarding the /root/cacert.p12 key file and the replica
>>> file under /var/lib/ipa.
>>>
>>> 3, how to recover the dogtag systems' data (different LDAP backend)
>>> existed on the IPA master before it crashes?
>>>
>>> Other close questions include:
>>>
>>> what are included in the replica definition file
>>> /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the
>>> signing key and how to open the .gpg file?
>> # gpg -d /path/to/replica.gpg | tar xf -
>>
>> The password is the Directory Manager password.
>>
>> You have limited options since your CA was a single point of failure and
>> it failed. The root CA private keys should be in the replica file so
>> there may be ways to recover, all of them will require significant
>> manual effort.
>>
>> We have no way to add a new CA to an existing IPA installation outside
>> of ipa-ca-install so we'll need to give that some thought. I think the
>> simplest way to fix this is to create a new CA as a subordinate of the
>> original one. The existing certs should still be trusted (except for the
>> agent cert) so mass rekeying won't be necessary.
>>
>> Another option is to install a new CA and try to replace key with the
>> original. We'd need to think long-term about this effort and you'd want
>> to renew all issued certificates so they will be revokable.
>>
>> rob
>>
>>
>>> Thanks.
>>>
>>> --David
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Petr Spacek <pspacek at redhat.com>
>>> *To:* freeipa-users at redhat.com
>>> *Sent:* Thursday, May 10, 2012 2:45 AM
>>> *Subject:* Re: [Freeipa-users] How to rebuild IPA master?
>>>
>>> On 05/10/2012 02:24 AM, Steven Jones wrote:
>>> > Hi,
>>> >
>>> > In case everyone else is asleep now......
>>> >
>>> > Do you have access to RH documentation? the 6.3beta admin guide
>>> section 18.8
>>> > talks about why and how to make a replicate a master.
>>>
>>> Just for completeness:
>>> Documentation is publicly available: http://docs.redhat.com/
>>>
>>> Documentation for IPA beta:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html
>>>
>>> Documentation for latest stable IPA:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
>>>
>>> >
>>> > eg.,
>>> >
>>> > "NOTE
>>> > All servers and replicas which host a CA are peers in the topology.
>>> They can
>>> > all issue certificates
>>> > and keys to IPA clients, and they all replicate information amongst
>>> themselves.
>>> > The only reason to promote a replica or server to be a master server
>>> is if the
>>> > master server is
>>> > being taken offline. There has to be a root CA which can issue CRLs and
>>> > ultimately validate
>>> > certificate checks.
>>> > Aside from that, replicas, servers, and the master server are all
>>> equal peers."
>>> >
>>> > regards
>>> >
>>> > Steven Jones
>>> >
>>> > Technical Specialist - Linux RHCE
>>> >
>>> > Victoria University, Wellington, NZ
>>> >
>>> > 0064 4 463 6272
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > *From:* freeipa-users-bounces at redhat.com
>>> <mailto:freeipa-users-bounces at redhat.com>
>>> [freeipa-users-bounces at redhat.com
>>> <mailto:freeipa-users-bounces at redhat.com>] on
>>> > behalf of David Copperfield [cao2dan at yahoo.com
>>> <mailto:cao2dan at yahoo.com>]
>>> > *Sent:* Thursday, 10 May 2012 11:04 a.m.
>>> > *To:* Rob Crittenden; Freeipa-users at redhat.com
>>> <mailto:Freeipa-users at redhat.com>
>>> > *Subject:* [Freeipa-users] How to rebuild IPA master?
>>> >
>>> > Hi all,
>>> >
>>> > I've a IPA master/replica setup in our development environment.
>>> Unfortunately
>>> > our IPA master crashed, the replica is working fine. Now I have the
>>> IPA master
>>> > re-imaged.
>>> >
>>> > What are the steps I have to follow to re-create the IPA master from
>>> running
>>> > IPA replica? Before crash the IPA master ran dogtag certificate
>>> system, while
>>> > the IPA replica didn't -- created normally without the --setup-ca option.
>>> >
>>> > Thanks.
>>> >
>>> > --David
>>> >
>>> >
>>> > _______________________________________________
>>> > Freeipa-users mailing list
>>> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list