Thanks. That looks promising on first
glance.
On 12/7/2021 9:55 AM, Florence
Blanc-Renaud via FreeIPA-users wrote:
Hi,
Fraser
wrote a blog post for this exact situation:
Note,
your mileage may vary, It was written for fedora 28.
flo
Is
there a procedure to deal with a domain that has no CA
operating?
I've got some replica servers working but none of them are the
CA and
the system I believe was the CA is not recoverable. I've
looked into
promoting one of the replicas to be the CA but without one
currently it
doesn't seem to work unless I'm doing it wrong.
What I've tried so far:
# ipa-csreplica-manage -v -f set-renewal-master
Directory Manager password:
Failed to set renewal master to <replica_server>: no
such entry
# ipa-cacert-manage renew
CA is not configured on this system
The ipa-cacert-manage command failed.
Near as I can tell everything I've tried fails since the
original CA is
no longer online and there's no way for me to get it online.
I need to
modify one of the replicas to be the CA in an existing domain.
All the
procedures I've found require an existing functional CA.
I've got one replica on CentOS 8.5 and
ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.
And four on Rocky Linux 8.5 and
ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64
The CentOS box will likely get retired sometime in the near
future so
I'll be looking to promote one of the Rocky Linux systems to
be the
master. There's four of those to spread out servers across
different
subnets in our network layout. Replication between the five
current
systems does seem to be working just fine.
--
Stephen Berg, IT Specialist, Ocean Sciences Division, Code
7309
Naval Research Laboratory
W: (228) 688-5738 <- (Preferred contact)
DSN: (312) 823-5738
C: (228) 365-0162
Flank Speed: stephen.p.berg.civ@us.navy.mil
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309
Naval Research Laboratory
W: (228) 688-5738 <- (Preferred contact)
DSN: (312) 823-5738
C: (228) 365-0162
Flank Speed: stephen.p.berg.civ@us.navy.mil