Dear Rob,
Earlier you commented:
You can run ipa-ca-install at any time to add a CA to an existing
master.
Indeed, however if I may suggest it might be useful to also have an alias
ipa-ca-install-replica
to clearly indicate it is safe to use this command and it will *not* end
up replacing your current (possibly only) active CA. Experienced admins
may know this couldn't happen, but others may not. I read and searched for
examples first, but one tends to be rather cautious especially once you
realise you only have a single CA installed.
Alas in my case I see
[root@freeipa02 ~]# ipa-ca-install
CA is already installed on this host.
yet
ipa server-role-find --role "CA server"
indicates for this server it has status absent, which ties up with other
warnings about there only being one.
Server name: freeipa02...
Role name: CA server
Role status: absent
I've not worked out why yet. Wondered if it might be installed but not
enabled, and if so, would it have up to date information. Puzzled.
Dear Satish,
All i would say please run multiple CA servers in your ldap
infrastructure, otherwise you will be in very big trouble like i was
in...
Thanks and sorry to hear about the trouble you experienced, clearly I
would like to avoid this happening here too.
When I installed the FreeIPA servers a few years' ago I honestly didn't
realise the CA hadn't been replicated along with everything else. Then in
a newer version I happened to notice the warning via the web interface,
only one CA server, although it might be useful to also include how to fix
such an omission with the warning.
As soon as I (and more experienced experts reading) can work out how to
get CA replication operational in this case, I will sleep easier. I have
already noticed the significant impact to services when freeipa01, our
complete server, is even briefly down, which really wasn't my intention.
Thanks to all.
Best wishes
Stuart