[Freeipa-users] CA lost on migration
Marius Bjørnstad
p.m.bjornstad at medisin.uio.no
Wed May 3 15:26:42 UTC 2017
Hi,
I have migrated some FreeIPA servers from 3.0.0-51 to 4.4.0-14 by adding new replicas. There were a lot of issues, and I'm strugglig a bit with a configuration management system set up by a central IT department, which overrides files like sssd.conf, and I have to make exceptions to the policy. I hope someone could take the time to help me with this anyway.
I was able to join both new RHEL 7 machines, and remove one of the old RHEL 6 machines, but then I couldn't remove the last one, and couldn't install the CA on any of the new masters. I (perhaps stupidly) removed the old server using ldapdelete, based on this thread: https://www.redhat.com/archives/freeipa-users/2012-June/msg00382.html. I thought that if I could get rid of the old stuff, I may be able to successfully promote one of the new servers to CA master. The command to install the CA almost completed successfully on the first master, but stopped on one of the last steps.
Now I get:
# ipa-ca-install
CA is already installed on this host.
It is clear that the CA is not installed. I get errors in /var/log/httpd/error_log for hosts requesting certs, and getting NotFound.
ipa: INFO: [xmlserver] host/xxxxx at DOMAIN: cert_request(u'MIIDnzCCaoc.......
I then removed and uninstalled the other master, which did not have a CA, thinking it could get going with a reinstall. However, the installation fails
ipa : ERROR Cannot issue certificates: a CA is not installed. Use the --http-cert-file, --dirsrv-cert-file options to provide custom certificates.
(there may be some typos in the error messages, since I'm copying from an air-gapped network)
Is there any way I can manually resurrect the CA? I have the files left over on the original (version 3) master, but did do an uninstall. If that's not possible, is there any way to migrate the users to a new domain with exactly the same name (this would be less convenient, if it's actually possible, since I have to re-enroll all the clients).
Thanks,
Marius Bjørnstad
More information about the Freeipa-users
mailing list