On Fri, Apr 01, 2016 at 08:24:44AM -0500, McNiel, Craig wrote: > Sadly - > > I don't think that CA is installed on other replica's They were installed > following the replica-prepare and replica-install process with nothing else > done outside of this process to install CA. > > I did not have backups yet when the incident occurred so I only have the > replica's created from the original CA/master > > The documentation that I was following was the following > > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > I rapidly ran into issues with this on the replica's which I suspect is due > to them not having CA installed. > Correct; the "promote CA to renewal master" means promoting an existing CA replica to be the default replica for certificate renewal and CRL generation.
Have you kept any of the *replica files* with with the replicas were created. The replica file is what is produced by the `ipa-replica-prepare' command, and is supplied to `ipa-replica-install' to actually install the replica. From any one of these files you can extract the CA signing certificate and run `ipa-ca-install' on one of the replicas to reinstate the CA. I have never attempted this but some of the gotchas might be: - some manual updates in IPA directory might be necessary to "trick" it into believe it is a hitherto CA-less deployment - some config changes may be needed to ensure the new CA instance issues certificates starting from an appropriate serial number (how many certs were previously issued by the now-lost CA?) If you can confirm that you do have a replica file I will spend the time to work out exactly what you need to do. Cheers, Fraser > Thanks ! > > Craig > > On Fri, Apr 1, 2016 at 2:15 AM, Martin Basti <[email protected]> wrote: > > > > > > > On 31.03.2016 16:09, McNiel, Craig wrote: > > > > I was installing a 7 host IPA with ipa01 being the CA and the others being > > replicas of this node. This was to be the production installation of IPA > > and the admins/users started using it prior to the installation being > > completed and before I had snapshots/backup created of the servers. > > > > The ipa01 host disk was corrupted so I no longer have a CA just the other > > 6 nodes. How can I install/promote or otherwise recreate the CA? I have > > looked online for instructions but, I run into issues almost immediately > > with the accuracy for the version I'm using in the documenation as many of > > the files it indicates need updates don't even exist. > > > > Thanks > > > > ipa-python-4.2.0-15.el7.centos.3.x86_64 > > ipa-admintools-4.2.0-15.el7.centos.3.x86_64 > > ipa-server-dns-4.2.0-15.el7.centos.3.x86_64 > > sssd-ipa-1.13.0-40.el7_2.1.x86_64 > > ipa-server-4.2.0-15.el7.centos.3.x86_64 > > libipa_hbac-1.13.0-40.el7_2.1.x86_64 > > ipa-client-4.2.0-15.el7.centos.3.x86_64 > > > > > > > > > > > > Hello, > > > > Several things are not clear to me from you email. Can you please answer > > following questions? > > > > Do you have CA installed on other replicas? > > Do you have backup of the original server (ipa-backup, or snapshot)? > > Which documentation did you follow? > > What did you try? > > > > Martin Basti > > > > > > -- > > *Craig McNiel* > > Assessment and Instruction > > 2510 North Dodge Street > Iowa City, Iowa 52240 > > D: 319-341-6390 > C: 319-430-9252 > T: 877-627-2222 (Team On-call Support) > > Pearson > Always Learning > Learn more at www.pearsonassessments.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
