[Freeipa-users] Please help: Re: How to rebuild IPA master?

Dmitri Pal dpal at redhat.com
Sun May 13 18:21:25 UTC 2012 

On 05/10/2012 05:42 PM, Ade Lee wrote:
> David, 
>
> The simplest solution may be as Rob suggests - which is to create a new
> CA as a subordinate of the old.
>
> The other solution would be doable but would require a few more manual
> steps.  That is, you could:
> 1. install a new ca
> 2. switch out the certs in that ca with the ones in your gpg file.  The
> certificate database is in /var/lib/pki-ca/alias
> 3. There may be some manual changes required in /etc/pki-ca/CS.cfg, but
> as the nicknames should be the same, you might be ok.
> 4. If you go this route, you probably want to change the lower point of
> the serial number ranges used for certs/ requests in CS.cfg to not reuse
> serial numbers for certs you have already issued.
> 4. Switch out the ipa agent cert/keys in the IPA cert database.
>
> You will run into problems later though because you have lost the data
> in the dogtag database.  
>
> In particular, because the renewal process uses the original requests
> (which are stored in the dogtag database), you will likely be unable to
> renew the certs you have already issued unless you rekey those certs.  
>
> That may be OK for most certs, but you may not want to do that for the
> CA signing cert.  In that case, you will likely need to instrument
> something to reconstruct the original request.  
>

https://fedorahosted.org/freeipa/ticket/2749

> Ade
> On Thu, 2012-05-10 at 16:50 -0400, Rob Crittenden wrote:
>> David Copperfield wrote:
>>> Hi Petr and all,
>>>
>>> All the chapter your have pointed out is read many times, but that
>>> doesn't help at all.
>>>
>>> My problem is: the Dogtag system ran on the IPA master ONLY before the
>>> IPA Master crashes. Now I have to do the following:
>>>
>>> 1, install and run Dogtag system on IPA replica -- the document
>>> mentioned it -- 'ipa-ca-install' and etc.
>>>
>>> 2, promote the IPA replica into new IPA Master -- document mentioned it
>>> but not clear -- regarding the /root/cacert.p12 key file and the replica
>>> file under /var/lib/ipa.
>>>
>>> 3, how to recover the dogtag systems' data (different LDAP backend)
>>> existed on the IPA master before it crashes?
>>>
>>> Other close questions include:
>>>
>>> what are included in the replica definition file
>>> /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the
>>> signing key and how to open the .gpg file?
>> # gpg -d /path/to/replica.gpg | tar xf -
>>
>> The password is the Directory Manager password.
>>
>> You have limited options since your CA was a single point of failure and 
>> it failed. The root CA private keys should be in the replica file so 
>> there may be ways to recover, all of them will require significant 
>> manual effort.
>>
>> We have no way to add a new CA to an existing IPA installation outside 
>> of ipa-ca-install so we'll need to give that some thought. I think the 
>> simplest way to fix this is to create a new CA as a subordinate of the 
>> original one. The existing certs should still be trusted (except for the 
>> agent cert) so mass rekeying won't be necessary.
>>
>> Another option is to install a new CA and try to replace key with the 
>> original. We'd need to think long-term about this effort and you'd want 
>> to renew all issued certificates so they will be revokable.
>>
>> rob
>>
>>
>>> Thanks.
>>>
>>> --David
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Petr Spacek <pspacek at redhat.com>
>>> *To:* freeipa-users at redhat.com
>>> *Sent:* Thursday, May 10, 2012 2:45 AM
>>> *Subject:* Re: [Freeipa-users] How to rebuild IPA master?
>>>
>>> On 05/10/2012 02:24 AM, Steven Jones wrote:
>>>  > Hi,
>>>  >
>>>  > In case everyone else is asleep now......
>>>  >
>>>  > Do you have access to RH documentation? the 6.3beta admin guide
>>> section 18.8
>>>  > talks about why and how to make a replicate a master.
>>>
>>> Just for completeness:
>>> Documentation is publicly available: http://docs.redhat.com/
>>>
>>> Documentation for IPA beta:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html
>>>
>>> Documentation for latest stable IPA:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
>>>
>>>  >
>>>  > eg.,
>>>  >
>>>  > "NOTE
>>>  > All servers and replicas which host a CA are peers in the topology.
>>> They can
>>>  > all issue certificates
>>>  > and keys to IPA clients, and they all replicate information amongst
>>> themselves.
>>>  > The only reason to promote a replica or server to be a master server
>>> is if the
>>>  > master server is
>>>  > being taken offline. There has to be a root CA which can issue CRLs and
>>>  > ultimately validate
>>>  > certificate checks.
>>>  > Aside from that, replicas, servers, and the master server are all
>>> equal peers."
>>>  >
>>>  > regards
>>>  >
>>>  > Steven Jones
>>>  >
>>>  > Technical Specialist - Linux RHCE
>>>  >
>>>  > Victoria University, Wellington, NZ
>>>  >
>>>  > 0064 4 463 6272
>>>  >
>>>  >
>>> ------------------------------------------------------------------------------
>>>  > *From:* freeipa-users-bounces at redhat.com
>>> <mailto:freeipa-users-bounces at redhat.com>
>>> [freeipa-users-bounces at redhat.com
>>> <mailto:freeipa-users-bounces at redhat.com>] on
>>>  > behalf of David Copperfield [cao2dan at yahoo.com
>>> <mailto:cao2dan at yahoo.com>]
>>>  > *Sent:* Thursday, 10 May 2012 11:04 a.m.
>>>  > *To:* Rob Crittenden; Freeipa-users at redhat.com
>>> <mailto:Freeipa-users at redhat.com>
>>>  > *Subject:* [Freeipa-users] How to rebuild IPA master?
>>>  >
>>>  > Hi all,
>>>  >
>>>  > I've a IPA master/replica setup in our development environment.
>>> Unfortunately
>>>  > our IPA master crashed, the replica is working fine. Now I have the
>>> IPA master
>>>  > re-imaged.
>>>  >
>>>  > What are the steps I have to follow to re-create the IPA master from
>>> running
>>>  > IPA replica? Before crash the IPA master ran dogtag certificate
>>> system, while
>>>  > the IPA replica didn't -- created normally without the --setup-ca option.
>>>  >
>>>  > Thanks.
>>>  >
>>>  > --David
>>>  >
>>>  >
>>>  > _______________________________________________
>>>  > Freeipa-users mailing list
>>>  > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>  > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list