roy liang via FreeIPA-users wrote:
> roy liang via FreeIPA-users wrote:
>
> Maybe. You're way out in uncharted territory but I don't believe it will
> hurt anything.
In my current state, I cannot copy the new copy of FREEIPA. If I cannot copy the new
copy, there will be a big problem one day.
Or is there some other way, that does not require PKI-Tomcat related services, to finish
copying a new copy out?
>
> You already tried this right?
Yes, I tried, but my version and circumstances failed, if there is no better way, I will
try again, but it will take a lot of time to verify.It would be nice to have documentation
on this.
Like I've said, there is no documentation for this, a system that is
unrenewable because of a missing library.
I do have another suggestion on something to try. It's a bit half-baked
and who knows, you may have already tried it.
I'd strongly urge trying this on a clone of your production CA.
IIRC you can go back in time where all the certs are valid and the CA is
operational, right? If so, do that. If not you're still going to be
stuck and you can stop reading.
Bring up a new server one running CentOS or RHEL, and set time back on
it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to
your current version.
Install it as a client with -N to skip syncing time, then run
ipa-replica-install -N for the same reason. If you get that far, try
running ipa-ca-install. This may well give you a working CA. At that
point you'd set it as a the CA renewal master, etc (see the RHEL docs)
and you'd be back in business.
There would be more to do afterward but lets not get ahead of ourselves.
rob