[Freeipa-users] Lost master 1 with CA service

[Fraser Tweedale]

On Wed, May 04, 2016 at 08:45:19PM +0800, barrykfl at gmail.com wrote:
> Hi all:
> 
> I got master 1have ca and server 2 replicatiomng . Now master 1
> fail all lost.
> 
> Can i skip.it just make server 3 repliacted slaved or must
> recovered master 1.
> 
I take it `Server 2' was installed without the CA?  If this is the
case, and if you cannot recover the first master with the CA
instance, then as long as you still have the replica info file with
which the replica(s) were created, then you have the bits to recover
the CA - but it will be quite an involved process.

I have never performed this recovery so there is no documentation,
but off the top of my head the steps would be (at a high level; no
detail yet):

1. Make some manual changes to make FreeIPA think it is CA-less

2. Extract CA signing key from the replica info file

3. Run ipa-ca-install to install the CA on one of the IPA servers,
   with external CA.  This will generate a new private key and CSR
   to send to external CA.

4. Replace the new private key generated for the CSR, with the
   private key from the replica info file.

5. Continue the ipa-ca-install with the CA signing certificate from
   the replica info file.

6. Manually adjust serial number ranges to ensure the new CA
   instance does not issue certs with serial numbers that collide
   with certs issued by the original CA instance.  (This might have
   to be hacked into the ipa-ca-install process).

7? Depending on whether your CA is self-signed, might need to tell
   certmonger to track the CA signing certificate.

8! Install a CA replica on another IPA server, so you don't have to
   do it all again if you lose the CA host in future :)

If you want to embark on this adventure, and get stuck (I know my
instructures were not detailed...), let me know.  I will try and
find spare minutes to learn the details and document the process.

Cheers,
Fraser