[Freeipa-users] Promoting a replica to a FreeIPA server without primary server
Rob Crittenden
rcritten at redhat.com
Wed Apr 8 18:07:50 UTC 2015
Прохоров Сергей wrote:
> Hello, I have self-signed freeipa replica. The problem is that I lose my
> freeipa primary server after hdd error.
> Now I need to create new replication server but I can't without primary
> server. I read this documentation and a lot of community correspondence
> but don't find my issue:
>
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html
Ouch. This is really old.
> http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA
I assume you can't do this because the original host is lost, right?
> How can I resolve it or migrate my kerberos/ldap schema to the new
> primary server?
> I'm using ipa-server-3.0.0-42.el6.x86_64 from base oracle linux 6.5
> repository.
>
Promote is such a terrible word, I really wish I'd never used it.
Every IPA master is a equal, some are just more equal than others. The
key bit that distinguishes them is whether there is a CA installed. The
other bit has to do with CRL generation and renewal which in your
version can only be done on one host (neither of which apply to
--selfsign anyway).
If you installed originally using --selfsign and that initial host is
gone and you have no backups you're in for some trouble. It is a single
point of failure and the reason we no longer support it. The docs
contain a bit of warning about that.
You mention migrating. What new primary server?
So I'd start digging around to see if you have the original CA private
key somewhere. The end of the IPA server install would have recommending
backing up cacert.p12.
rob
More information about the Freeipa-users
mailing list