[Freeipa-users] Replica without CA: implications?
Cal Sawyer
cal-s at blue-bolt.com
Thu Jun 2 14:19:20 UTC 2016
Apologies for the lengthy pause in getting back onto this. I ended up
destroying the replica and reprovisioning frmm scratch, but the replica
still lists as being CA-less.
Is what i'm seeing normal? Would this 2-node setup in this state
survive failure of the master?
-----------------
ON MASTER ipa.localdomain.local
# ipa-replica-manage list
ipa2.localdomain.local: master
ipa.localdomain.local: master
# ipa-csreplica-manage list
>> ipa2.localdomain.local: CA not configured
ipa.localdomain.local: master
------------------
ON REPLICA ipa2.localdomain.local
# ipa-ca-install
Directory Manager (existing master) password:
>> CA is already installed.
ok ....
# ipa-ca-install -d
<snip loading/importing>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
context.ldap2_73731152
ipa.ipalib.plugins.config.config_show: DEBUG raw:
config_show(version=u'2.156')
ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False,
all=False, raw=False, version=u'2.156')
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw:
ca_is_enabled(version=u'2.156')
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156')
ipa : DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 732, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 204, in main
install_master(safe_options, options)
File "/usr/sbin/ipa-ca-install", line 191, in install_master
ca.install_check(True, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
49, in install_check
sys.exit("CA is already installed.\n")
ipa : DEBUG The ipa-ca-install command failed, exception:
SystemExit: CA is already installed.
>> CA is already installed.
thanks
- cal sawyer
On 09/03/16 16:13, Simo Sorce wrote:
> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:
>> Hi
>>
>> Somehow i picked the wrong cookbook when i provisioned my first (and
>> only) replica and it lacks CA aso, as pointed out in a recent thread,
>> creates a single point of failure. Not ready to set up more 2 replicas
>> yet and am still in testing. Is it possible to replicate the master's
>> CA to the replica without destroying and reprovisioning with --setup-ca
>> this time?
> Use ipa-ca-install on the replica.
>
> Simo.
>
More information about the Freeipa-users
mailing list