Thanks.  That looks promising on first glance.

On 12/7/2021 9:55 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
Fraser wrote a blog post for this exact situation:
https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost-ca.html

Note, your mileage may vary, It was written for fedora 28.
flo

On Tue, Dec 7, 2021 at 12:30 PM Stephen Berg, Code 7309 via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Is there a procedure to deal with a domain that has no CA operating?

I've got some replica servers working but none of them are the CA and
the system I believe was the CA is not recoverable.  I've looked into
promoting one of the replicas to be the CA but without one currently it
doesn't seem to work unless I'm doing it wrong.

What I've tried so far:

# ipa-csreplica-manage -v -f set-renewal-master
Directory Manager password:
Failed to set renewal master to <replica_server>: no such entry

# ipa-cacert-manage renew
CA is not configured on this system
The ipa-cacert-manage command failed.

Near as I can tell everything I've tried fails since the original CA is
no longer online and there's no way for me to get it online.  I need to
modify one of the replicas to be the CA in an existing domain. All the
procedures I've found require an existing functional CA.

I've got one replica on CentOS 8.5 and
ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.
And four on Rocky Linux 8.5 and
ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64

The CentOS box will likely get retired sometime in the near future so
I'll be looking to promote one of the Rocky Linux systems to be the
master.  There's four of those to spread out servers across different
subnets in our network layout. Replication between the five current
systems does seem to be working just fine.

--
Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309
Naval Research Laboratory
W:   (228) 688-5738 <- (Preferred contact)
DSN: (312) 823-5738
C:   (228) 365-0162
Flank Speed: stephen.p.berg.civ@us.navy.mil

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


-- 
Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309
Naval Research Laboratory
W:   (228) 688-5738 <- (Preferred contact)
DSN: (312) 823-5738
C:   (228) 365-0162
Flank Speed: stephen.p.berg.civ@us.navy.mil