[Freeipa-users] Replica without CA: implications?

Cal Sawyer cal-s at blue-bolt.com
Thu Jun 2 14:19:20 UTC 2016 

Apologies for the lengthy pause in getting back onto this.  I ended up 
destroying the replica and reprovisioning frmm scratch, but the replica 
still lists as being CA-less.

Is what i'm seeing normal?  Would this 2-node setup in this state 
survive failure of the master?


-----------------

ON MASTER ipa.localdomain.local

#  ipa-replica-manage list

ipa2.localdomain.local: master
ipa.localdomain.local: master

# ipa-csreplica-manage list

 >> ipa2.localdomain.local: CA not configured
ipa.localdomain.local: master


------------------

ON REPLICA ipa2.localdomain.local

# ipa-ca-install
Directory Manager (existing master) password:

 >> CA is already installed.

ok ....

# ipa-ca-install -d

<snip loading/importing>

ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection 
context.ldap2_73731152
ipa.ipalib.plugins.config.config_show: DEBUG    raw: 
config_show(version=u'2.156')
ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, 
all=False, raw=False, version=u'2.156')
ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for 
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG    raw: 
ca_is_enabled(version=u'2.156')
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156')
ipa         : DEBUG      File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 732, in run_script
     return_value = main_function()

   File "/usr/sbin/ipa-ca-install", line 204, in main
     install_master(safe_options, options)

   File "/usr/sbin/ipa-ca-install", line 191, in install_master
     ca.install_check(True, None, options)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 
49, in install_check
     sys.exit("CA is already installed.\n")

ipa         : DEBUG    The ipa-ca-install command failed, exception: 
SystemExit: CA is already installed.

 >> CA is already installed.




thanks

- cal sawyer



On 09/03/16 16:13, Simo Sorce wrote:
> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:
>> Hi
>>
>> Somehow i picked the wrong cookbook when i provisioned my first (and
>> only) replica and it lacks CA aso, as pointed out in a recent thread,
>> creates a single point of failure.  Not ready to set up more 2 replicas
>> yet and am still in testing.  Is it possible to replicate the master's
>> CA to the replica without destroying and reprovisioning with --setup-ca
>> this time?
> Use ipa-ca-install on the replica.
>
> Simo.
>

More information about the Freeipa-users mailing list