[Freeipa-users] Replica without CA: implications?
Rob Crittenden
rcritten at redhat.com
Thu Jun 2 21:27:58 UTC 2016
Cal Sawyer wrote:
> Apologies for the lengthy pause in getting back onto this. I ended up
> destroying the replica and reprovisioning frmm scratch, but the replica
> still lists as being CA-less.
>
> Is what i'm seeing normal? Would this 2-node setup in this state
> survive failure of the master?
It will until the certificates start expiring. You want at least 2 CA's
to avoid a single point of failure situation.
>
> -----------------
>
> ON MASTER ipa.localdomain.local
>
> # ipa-replica-manage list
>
> ipa2.localdomain.local: master
> ipa.localdomain.local: master
>
> # ipa-csreplica-manage list
>
> >> ipa2.localdomain.local: CA not configured
> ipa.localdomain.local: master
>
>
> ------------------
>
> ON REPLICA ipa2.localdomain.local
>
> # ipa-ca-install
> Directory Manager (existing master) password:
>
> >> CA is already installed.
>
> ok ....
>
> # ipa-ca-install -d
>
> <snip loading/importing>
>
> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
> context.ldap2_73731152
> ipa.ipalib.plugins.config.config_show: DEBUG raw:
> config_show(version=u'2.156')
> ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False,
> all=False, raw=False, version=u'2.156')
> ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for
> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw:
> ca_is_enabled(version=u'2.156')
> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG
> ca_is_enabled(version=u'2.156')
> ipa : DEBUG File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 732, in run_script
> return_value = main_function()
>
> File "/usr/sbin/ipa-ca-install", line 204, in main
> install_master(safe_options, options)
>
> File "/usr/sbin/ipa-ca-install", line 191, in install_master
> ca.install_check(True, None, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 49, in install_check
> sys.exit("CA is already installed.\n")
>
> ipa : DEBUG The ipa-ca-install command failed, exception:
> SystemExit: CA is already installed.
>
> >> CA is already installed.
It detects whether a CA is installed by the existence of something like
/var/lib/pki-tomcat/ca. You can use pkidestroy to remove any remnants
that might be left over from some previous failed install.
Or it could be that something wasn't updated properly in LDAP and there
actually is a working CA. You might try manually starting the CA to see
if it comes up, and/or run ipa-csreplica-manage to see if there are any
working agreements.
rob
>
>
>
>
> thanks
>
> - cal sawyer
>
>
>
> On 09/03/16 16:13, Simo Sorce wrote:
>> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:
>>> Hi
>>>
>>> Somehow i picked the wrong cookbook when i provisioned my first (and
>>> only) replica and it lacks CA aso, as pointed out in a recent thread,
>>> creates a single point of failure. Not ready to set up more 2 replicas
>>> yet and am still in testing. Is it possible to replicate the master's
>>> CA to the replica without destroying and reprovisioning with --setup-ca
>>> this time?
>> Use ipa-ca-install on the replica.
>>
>> Simo.
>>
>
More information about the Freeipa-users
mailing list