[Freeipa-users] Install/promote new CA old one corrupted before backups
Fraser Tweedale
ftweedal at redhat.com
Mon Apr 4 02:16:19 UTC 2016
On Fri, Apr 01, 2016 at 08:24:44AM -0500, McNiel, Craig wrote:
> Sadly -
>
> I don't think that CA is installed on other replica's They were installed
> following the replica-prepare and replica-install process with nothing else
> done outside of this process to install CA.
>
> I did not have backups yet when the incident occurred so I only have the
> replica's created from the original CA/master
>
> The documentation that I was following was the following
>
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>
> I rapidly ran into issues with this on the replica's which I suspect is due
> to them not having CA installed.
>
Correct; the "promote CA to renewal master" means promoting an
existing CA replica to be the default replica for certificate
renewal and CRL generation.
Have you kept any of the *replica files* with with the replicas were
created. The replica file is what is produced by the
`ipa-replica-prepare' command, and is supplied to
`ipa-replica-install' to actually install the replica. From any one
of these files you can extract the CA signing certificate and run
`ipa-ca-install' on one of the replicas to reinstate the CA.
I have never attempted this but some of the gotchas might be:
- some manual updates in IPA directory might be necessary to "trick"
it into believe it is a hitherto CA-less deployment
- some config changes may be needed to ensure the new CA instance
issues certificates starting from an appropriate serial number
(how many certs were previously issued by the now-lost CA?)
If you can confirm that you do have a replica file I will spend the
time to work out exactly what you need to do.
Cheers,
Fraser
> Thanks !
>
> Craig
>
> On Fri, Apr 1, 2016 at 2:15 AM, Martin Basti <mbasti at redhat.com> wrote:
>
> >
> >
> > On 31.03.2016 16:09, McNiel, Craig wrote:
> >
> > I was installing a 7 host IPA with ipa01 being the CA and the others being
> > replicas of this node. This was to be the production installation of IPA
> > and the admins/users started using it prior to the installation being
> > completed and before I had snapshots/backup created of the servers.
> >
> > The ipa01 host disk was corrupted so I no longer have a CA just the other
> > 6 nodes. How can I install/promote or otherwise recreate the CA? I have
> > looked online for instructions but, I run into issues almost immediately
> > with the accuracy for the version I'm using in the documenation as many of
> > the files it indicates need updates don't even exist.
> >
> > Thanks
> >
> > ipa-python-4.2.0-15.el7.centos.3.x86_64
> > ipa-admintools-4.2.0-15.el7.centos.3.x86_64
> > ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
> > sssd-ipa-1.13.0-40.el7_2.1.x86_64
> > ipa-server-4.2.0-15.el7.centos.3.x86_64
> > libipa_hbac-1.13.0-40.el7_2.1.x86_64
> > ipa-client-4.2.0-15.el7.centos.3.x86_64
> >
> >
> >
> >
> >
> > Hello,
> >
> > Several things are not clear to me from you email. Can you please answer
> > following questions?
> >
> > Do you have CA installed on other replicas?
> > Do you have backup of the original server (ipa-backup, or snapshot)?
> > Which documentation did you follow?
> > What did you try?
> >
> > Martin Basti
> >
>
>
>
> --
>
> *Craig McNiel*
>
> Assessment and Instruction
>
> 2510 North Dodge Street
> Iowa City, Iowa 52240
>
> D: 319-341-6390
> C: 319-430-9252
> T: 877-627-2222 (Team On-call Support)
>
> Pearson
> Always Learning
> Learn more at www.pearsonassessments.com
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list