Thank you Rob for your answer,
I have test solution 4, but the
installation really goes out of order.
I do not want to remove from the
host or even add a replica (same thing with --dirsrv-cert-file and
--http-cert-file options).
I got the following error:
'certificate
operation cannot be completed: Unable to communicate with CMS ([Errno
111] Connection refused)'
then go to Solution 5 - Loss of information,
backtracking:
I restored a 15-day snapshot, which resulted in the loss
of a new user and a twenty-something password change.
- resynchronize
with winsync users (change uid and gid on servers)
- Send a mail to
users who have changed their password. (Synchronization)
big panic in
the information system.
I return to square one with a freeipa v4.4 and
a big problem of certificate
''
Request ID '20161220171512':
status:
CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa4.XXXXXX.XX:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
''
if
you have an idea to replace the CA. I am really interrest
thx
Pierre
--
Le 2018-03-13 14:33, Rob Crittenden a écrit :
Labanowski Pierre
via FreeIPA-users wrote:
> Hello, I'm confused with my freeipa
setup. Some details on the
installation: - I use freeipa on only one
server since 2012 (basic install with a self-signed certificate ... KO
from then 2014). - meanwhile (a few years) I made a migration to switch
to a version of freeipa v4 on 7.1 centos, which is today in 4.5 since a
few weeks. (the old freeipav3 server has been destroyed for a long time)
- at this time CA autorithy been lost ... but hey I do not use this
feature in freeipa v4, I'm not too worried. - I mainly use the ldap
(user, group, host, hbac, automount etc), and especially kerberos, and
also winsync (trust AD etc ...) - I never interressed at the party
certificate. - The HTTP and LDAP certificates of the server is signed
via an external authority not managed by freeipa. Only here I wanted to
add a 2nd server to replicate my single server freeipa, to secure the
system. And here the disaster begins for me ... because the certificates
block the process in all directions. I'm considering several solutions:
- Solution 1 (my favorite if it's possible), that I started to try to do
... remove the CA and restart from scratch on my master server before
starting to replicate. I made a: ipa-ca-install ----> KO CA is already
installed on this host THEN pkidestroy -s CA -i pki-tomcat ipa-getcert
stop-tracking -i ******** (certificate expired for several years)
ipa-ca-install ----> KO '' Run connection check to master Connection
check OK Your system may be partly configured. Run / usr / sbin /
ipa-server-install --uninstall to clean up. Unexpected error - see
/var/log/ipareplica-ca-install.log for details: HTTPError: 404 Client
Error: Not Found '' I tried enorment order I think have put more basard
than anything else that said ... :'( how i can erase all traces of CA
autority and reinstall with ipa-ca-install a new autority and leave with
a correct installation ?
No.
Chances are excellent that your
original CA is now gone permanently
given you ran pkidestroy. If you
still have the cacert.p12 you
at least
have the original signing cert
but given it was generated 6
years ago
and all the subsystem certs are
long-expired it would be an
extra
challenge to try to setup a
replacement (for which there is a
procedure
defined by dogtag but
we've never tried it).
> - Solution 2 Add a replica server without
CA autority and pass it master and
install a new CA autority! it's
possible ?
No.
> - solution 3 make a new freeipa server from 0
- ipa-server-install - import my
~ 600 users and ~ 50 hosts (service) -
import my rules HBAC - import my sudo rules - import the keys kerberos
... I'm forgetting some things? and above all, is there a procedure to
do all this? It seems much more difficult, especially since it will
certainly be necessary to plan production stops for my services:
IPA to IPA migration is theoretically possible but not something that
is
supported at the moment (we just never got around to working out
all the
details). It would involve exporting to ldif the current data,
massaging
it, and importing it into the new master. There be
dragons.
solution 4
Obtain an SSL certificate for the HTTP and
LDAP service from the same
place you got the certificates for your
existing master for
your new
replica and use the --dirsrv-cert-file
and --http-cert-file
options to
ipa-replica-install to pass them in.
See the
ipa-replica-install(1) man
page for fuller details.
rob