[Freeipa-users] Replica without CA: implications?

Cal Sawyer cal-s at blue-bolt.com
Tue Jun 7 14:10:12 UTC 2016 

For the benefit, or added confusion, of future generations, some 
observations

ipa-ca-install, run successful replica instantiation w/o --setup-ca 
fails consistently with the errors in my orig post. Never figured out 
what the script was finding that needed purging.  After a multitude of 
attempts (thank you, ESXi snapshots) with multiple ipa-server-install 
--uninstall's , i gave up and rebuilt from the gound up withlatest 
packages and --setup-ca which works great

I found that installing a replica with firewalld enabled would 
consistently fail during initial replication.  Disabling firewalld 
always allowed replication and later stages to complete

       [24/38]: setting up initial replication
    Starting replication, please wait until this has completed.

    [ipa.localdomain.local] reports: Update failed! Status: [-1  - LDAP
    error: Can't contact LDAP server]


The first master and all replicas are all CentOS Linux release 7.2.1511 
(Core) with ipa-server-4.2.0-15.0.1.el7


One other thing.  if, during ipa-replica-install,+ you choose the 
default answer to the following:

Existing BIND configuration detected, overwrite? [no]:
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Aborting 
installation.

Not sure if that is intended?  Which BIND configuration is being detected?

Anyhow, up and running with 4 replicas, 2 of which will be split off to 
a failover instance of ESXi in the future.  When it works, it's a joy

Now back to getting these Mac clients to play nicely with IPA ...

thanks for the help and advice

- cal

On 02/06/16 22:27, Rob Crittenden wrote:
> Cal Sawyer wrote:
>> Apologies for the lengthy pause in getting back onto this.  I ended up
>> destroying the replica and reprovisioning frmm scratch, but the replica
>> still lists as being CA-less.
>>
>> Is what i'm seeing normal?  Would this 2-node setup in this state
>> survive failure of the master?
>
> It will until the certificates start expiring. You want at least 2 
> CA's to avoid a single point of failure situation.
>
>>
>> -----------------
>>
>> ON MASTER ipa.localdomain.local
>>
>> #  ipa-replica-manage list
>>
>> ipa2.localdomain.local: master
>> ipa.localdomain.local: master
>>
>> # ipa-csreplica-manage list
>>
>>  >> ipa2.localdomain.local: CA not configured
>> ipa.localdomain.local: master
>>
>>
>> ------------------
>>
>> ON REPLICA ipa2.localdomain.local
>>
>> # ipa-ca-install
>> Directory Manager (existing master) password:
>>
>>  >> CA is already installed.
>>
>> ok ....
>>
>> # ipa-ca-install -d
>>
>> <snip loading/importing>
>>
>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection
>> context.ldap2_73731152
>> ipa.ipalib.plugins.config.config_show: DEBUG    raw:
>> config_show(version=u'2.156')
>> ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False,
>> all=False, raw=False, version=u'2.156')
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for
>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4516ea8>
>> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG    raw:
>> ca_is_enabled(version=u'2.156')
>> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG
>> ca_is_enabled(version=u'2.156')
>> ipa         : DEBUG      File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 732, in run_script
>>      return_value = main_function()
>>
>>    File "/usr/sbin/ipa-ca-install", line 204, in main
>>      install_master(safe_options, options)
>>
>>    File "/usr/sbin/ipa-ca-install", line 191, in install_master
>>      ca.install_check(True, None, options)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
>> 49, in install_check
>>      sys.exit("CA is already installed.\n")
>>
>> ipa         : DEBUG    The ipa-ca-install command failed, exception:
>> SystemExit: CA is already installed.
>>
>>  >> CA is already installed.
>
> It detects whether a CA is installed by the existence of something 
> like /var/lib/pki-tomcat/ca. You can use pkidestroy to remove any 
> remnants that might be left over from some previous failed install.
>
> Or it could be that something wasn't updated properly in LDAP and 
> there actually is a working CA. You might try manually starting the CA 
> to see if it comes up, and/or run ipa-csreplica-manage to see if there 
> are any working agreements.
>
> rob
>
>
>>
>>
>>
>>
>> thanks
>>
>> - cal sawyer
>>
>>
>>
>> On 09/03/16 16:13, Simo Sorce wrote:
>>> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote:
>>>> Hi
>>>>
>>>> Somehow i picked the wrong cookbook when i provisioned my first (and
>>>> only) replica and it lacks CA aso, as pointed out in a recent thread,
>>>> creates a single point of failure.  Not ready to set up more 2 
>>>> replicas
>>>> yet and am still in testing.  Is it possible to replicate the master's
>>>> CA to the replica without destroying and reprovisioning with 
>>>> --setup-ca
>>>> this time?
>>> Use ipa-ca-install on the replica.
>>>
>>> Simo.
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160607/566af0d4/attachment.htm>

More information about the Freeipa-users mailing list