<html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> </head> <body bgcolor="#FFFFFF" text="#000000"> I recently had to upgrade all my Fedora IPA servers to C7. It went well, and we've been up and running nicely on 4.4.0 on C7 for the past month or so. Today, someone came and asked me to generate a new certificate for their web server. All was good until I went to the IPA UI and tried to perform Actions->New Certificate, which did nothing. I tried each of our 3 servers in turn. All came back with no popup window and no error, either. I suspect the problem might be that we no longer have a CA server due to the method I used to upgrade the servers. I likely missed a "--setup-ca" in there somewhere, so my rolling update rolled over the CA. What's my best hope of recovery? I never ran this before, so I'm not sure if this shows that I'm missing a CA or not: <blockquote> # ipa ca-find ------------ 1 CA matched ------------ Name: ipa Description IPA CA Authority ID: 3ce3346[...] Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM ---------------------------- Number of entries returned 1 ---------------------------- # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, O=DAMASCUSGRP.COM" ipa: ERROR: Failed to authenticate to CA REST API # klist Ticket cache: KEYRING:persistent:0:0 Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@DAMASCUSGRP.COM">admin@DAMASCUSGRP.COM</a> Valid starting Expires Service principal 04/25/2017 18:48:26 04/26/2017 18:48:21 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM">krbtgt/DAMASCUSGRP.COM@DAMASCUSGRP.COM</a> # </blockquote> What's my best path of recovery? <div class="moz-signature">-- <div>Bret Wortman</div> <div>The Damascus Group </div> </div> </body> </html>