At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present?
Cheers, Ronald
On 10/2/20 11:03 AM, Ronald Wimmer via FreeIPA-users wrote:
At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present?
Hi, yes, ipa-kra-install can be used to install a replica KRA. No additional steps required.
flo
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 02.10.20 11:29, Florence Blanc-Renaud wrote:
On 10/2/20 11:03 AM, Ronald Wimmer via FreeIPA-users wrote:
At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present?
Hi, yes, ipa-kra-install can be used to install a replica KRA. No additional steps required.
Looks like that did not work as expected. The only KRA server at the moment is pipa02. pipa06 should become an additional KRA server.
Last login: Fri Oct 2 11:16:49 2020 from 172.20.73.225 [root@pipa06 ~]# ipa-kra-install Directory Manager password:
/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:72: The SecurityDomainClient.get_security_domain_info() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). /usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:85: The DomainInfo.systems has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Lookup failed: Preferred host pipa06.linux.mydomain.at does not provide KRA. Custodia uses 'pipa02.linux.mydomain.at' as master peer.
=================================================================== This program will setup Dogtag KRA for the IPA Server.
Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server.
401 Client Error: Unauthorized for url: https://pipa02.linux.mydomain.at/ipa/keys/ca/auditSigningCert%20cert-pki-kra...<undisclosed> The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
On 02.10.20 11:43, Ronald Wimmer via FreeIPA-users wrote:
On 02.10.20 11:29, Florence Blanc-Renaud wrote:
On 10/2/20 11:03 AM, Ronald Wimmer via FreeIPA-users wrote:
At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present?
Hi, yes, ipa-kra-install can be used to install a replica KRA. No additional steps required.
Looks like that did not work as expected. The only KRA server at the moment is pipa02. pipa06 should become an additional KRA server.
Last login: Fri Oct 2 11:16:49 2020 from 172.20.73.225 [root@pipa06 ~]# ipa-kra-install Directory Manager password:
/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:72: The SecurityDomainClient.get_security_domain_info() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). /usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:85: The DomainInfo.systems has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Lookup failed: Preferred host pipa06.linux.mydomain.at does not provide KRA. Custodia uses 'pipa02.linux.mydomain.at' as master peer.
=================================================================== This program will setup Dogtag KRA for the IPA Server.
Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server.
401 Client Error: Unauthorized for url: https://pipa02.linux.mydomain.at/ipa/keys/ca/auditSigningCert%20cert-pki-kra...<undisclosed>
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
I could not find anything useful in the log file. Any hints on what I could try next?
freeipa-users@lists.fedorahosted.org