[Freeipa-users] Install/promote new CA old one corrupted before backups

Fraser Tweedale ftweedal at redhat.com
Mon Apr 4 02:16:19 UTC 2016 

On Fri, Apr 01, 2016 at 08:24:44AM -0500, McNiel, Craig wrote:
> Sadly -
> 
> I don't think that CA is installed on other replica's  They were installed
> following the replica-prepare and replica-install process with nothing else
> done outside of this process to install CA.
> 
> I did not have backups yet when the incident occurred so I only have the
> replica's created from the original CA/master
> 
> The documentation that I was following was the following
> 
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> 
> I rapidly ran into issues with this on the replica's which I suspect is due
> to them not having CA installed.
> 
Correct; the "promote CA to renewal master" means promoting an
existing CA replica to be the default replica for certificate
renewal and CRL generation.

Have you kept any of the *replica files* with with the replicas were
created.  The replica file is what is produced by the
`ipa-replica-prepare' command, and is supplied to
`ipa-replica-install' to actually install the replica.  From any one
of these files you can extract the CA signing certificate and run
`ipa-ca-install' on one of the replicas to reinstate the CA.

I have never attempted this but some of the gotchas might be:

- some manual updates in IPA directory might be necessary to "trick"
  it into believe it is a hitherto CA-less deployment

- some config changes may be needed to ensure the new CA instance
  issues certificates starting from an appropriate serial number
  (how many certs were previously issued by the now-lost CA?)

If you can confirm that you do have a replica file I will spend the
time to work out exactly what you need to do.

Cheers,
Fraser


> Thanks !
> 
> Craig
> 
> On Fri, Apr 1, 2016 at 2:15 AM, Martin Basti <mbasti at redhat.com> wrote:
> 
> >
> >
> > On 31.03.2016 16:09, McNiel, Craig wrote:
> >
> > I was installing a 7 host IPA with ipa01 being the CA and the others being
> > replicas of this node.  This was to be the production installation of IPA
> > and the admins/users started using it prior to the installation being
> > completed and before I had snapshots/backup created of the servers.
> >
> > The ipa01 host disk was corrupted so I no longer have a CA just the other
> > 6 nodes.  How can I install/promote or otherwise recreate the CA?  I have
> > looked online for instructions but, I run into issues almost immediately
> > with the accuracy for the version I'm using in the documenation as many of
> > the files it indicates need updates don't even exist.
> >
> > Thanks
> >
> > ipa-python-4.2.0-15.el7.centos.3.x86_64
> > ipa-admintools-4.2.0-15.el7.centos.3.x86_64
> > ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
> > sssd-ipa-1.13.0-40.el7_2.1.x86_64
> > ipa-server-4.2.0-15.el7.centos.3.x86_64
> > libipa_hbac-1.13.0-40.el7_2.1.x86_64
> > ipa-client-4.2.0-15.el7.centos.3.x86_64
> >
> >
> >
> >
> >
> > Hello,
> >
> > Several things are not clear to me from you email. Can you please answer
> > following questions?
> >
> > Do you have CA installed on other replicas?
> > Do you have backup of the original server (ipa-backup, or snapshot)?
> > Which documentation did you follow?
> > What did you try?
> >
> > Martin Basti
> >
> 
> 
> 
> -- 
> 
> *Craig McNiel*
> 
> Assessment and Instruction
> 
> 2510 North Dodge Street
> Iowa City, Iowa 52240
> 
> D: 319-341-6390
> C: 319-430-9252
> T: 877-627-2222 (Team On-call Support)
> 
> Pearson
> Always Learning
> Learn more at www.pearsonassessments.com

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list