We have a nice simple setup, a single master running 3.0.0-51.el6.centos and as far as I
can tell we're in very good shape, all certs checkout ok, being monitored, nothing
expired.
Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X
Carefully follow all the instructions here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
<
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Everything goes great, I note that CS.cfg on CentOS lives under /etc/pki-ca not /var/lib,
ok no problem, great, great and then:
I get to this part of the document:
6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on the new master CA
server.
The file is generated based on the time interval defined in the /etc/pki/pki-
tomcat/ca/CS.cfg file using the ca.crl.MasterCRL.autoUpdateInterval parameter. The default
value is 240 minutes (4 hours).
If the file exists, the new master CA server is configured correctly, and you can safely
dismiss the previous CA master system.
And after messing with CS.cfg update interval settings, rebooting etc, I still get no
MasterCRL.bin on the new host.
Any clues as to what I might be doing wrong?
Really hard to say without more info I'm sure.
Can you tell me what to check on the original master before I get started with all the
upgrade steps?
I have rolled back my virtual machine snapshot so I'm back to "everything
good" state, I think :)
On the original master, before upgrade I have:
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 MasterCRL-20180205-210000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 MasterCRL-20180206-010000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 MasterCRL-20180206-050000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 MasterCRL-20180206-090000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 MasterCRL-20180206-130000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 MasterCRL-20180206-170000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 MasterCRL-20180206-210000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 MasterCRL-20180207-010000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 MasterCRL-20180207-073614.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 MasterCRL-20180207-090000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 MasterCRL-20180207-130000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 MasterCRL-20180207-170000.der
lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der
drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 .
That looks all correct right? Indicated the master is doing what it should re CRL's
etc.
I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root pkiuser
775" not "pkiuser pkiuser", but me thinks that's ok.
What log should I look at to see some indication that a transfer or like, "get the
CRL list to the new node" is failing?
Thanks !!
<
http://www.placeiq.com/> <
http://www.placeiq.com/>
<
http://www.placeiq.com/> Jim Richard <
https://twitter.com/placeiq>
<
https://twitter.com/placeiq> <
https://twitter.com/placeiq>
<
https://www.facebook.com/PlaceIQ> <
https://www.facebook.com/PlaceIQ>
<
https://www.linkedin.com/company/placeiq>
<
https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
(646) 338-8905
<
http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-201...
<
http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...
<
http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...
<
http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...
<
http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...
<
http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-p...
<
http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...
<
http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...
<
http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...
<
http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...
<
http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...
<
http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?...
<
http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-plat...
<
http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-mile...
<
http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreakin...
<
http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreakin...
<
https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-i...