[Freeipa-users] Lost master 1 with CA service
Fraser Tweedale
ftweedal at redhat.com
Thu May 5 02:12:03 UTC 2016
On Wed, May 04, 2016 at 08:45:19PM +0800, barrykfl at gmail.com wrote:
> Hi all:
>
> I got master 1have ca and server 2 replicatiomng . Now master 1
> fail all lost.
>
> Can i skip.it just make server 3 repliacted slaved or must
> recovered master 1.
>
I take it `Server 2' was installed without the CA? If this is the
case, and if you cannot recover the first master with the CA
instance, then as long as you still have the replica info file with
which the replica(s) were created, then you have the bits to recover
the CA - but it will be quite an involved process.
I have never performed this recovery so there is no documentation,
but off the top of my head the steps would be (at a high level; no
detail yet):
1. Make some manual changes to make FreeIPA think it is CA-less
2. Extract CA signing key from the replica info file
3. Run ipa-ca-install to install the CA on one of the IPA servers,
with external CA. This will generate a new private key and CSR
to send to external CA.
4. Replace the new private key generated for the CSR, with the
private key from the replica info file.
5. Continue the ipa-ca-install with the CA signing certificate from
the replica info file.
6. Manually adjust serial number ranges to ensure the new CA
instance does not issue certs with serial numbers that collide
with certs issued by the original CA instance. (This might have
to be hacked into the ipa-ca-install process).
7? Depending on whether your CA is self-signed, might need to tell
certmonger to track the CA signing certificate.
8! Install a CA replica on another IPA server, so you don't have to
do it all again if you lose the CA host in future :)
If you want to embark on this adventure, and get stuck (I know my
instructures were not detailed...), let me know. I will try and
find spare minutes to learn the details and document the process.
Cheers,
Fraser
More information about the Freeipa-users
mailing list