Jim Richard via FreeIPA-users wrote: > We have a nice simple setup, a single master running 3.0.0-51.el6.centos > and as far as I can tell we're in very good shape, all certs checkout > ok, being monitored, nothing expired. > > Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X > > Carefully follow all the instructions here: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index > > Everything goes great, I note that CS.cfg on CentOS lives under > /etc/pki-ca not /var/lib, ok no problem, great, great and then: > > I get to this part of the document: > > 6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly > Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on > the new master CA server. > The file is generated based on the time interval defined in the > /etc/pki/pki- tomcat/ca/CS.cfg file using the > ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 > minutes (4 hours). > If the file exists, the new master CA server is configured correctly, > and you can safely dismiss the previous CA master system. > > And after messing with CS.cfg update interval settings, rebooting etc, I > still get no MasterCRL.bin on the new host. > > Any clues as to what I might be doing wrong? > > Really hard to say without more info I'm sure. > > Can you tell me what to check on the original master before I get > started with all the upgrade steps? > > I have rolled back my virtual machine snapshot so I'm back to > "everything good" state, I think :)
I think you need to define what you mean by "upgrade". Did you actually upgrade in-place from RHEL 6 to 7? If so that is not supported. The right producer is to create a new replica on RHEL 7. rob > > On the original master, before upgrade I have: > > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 > MasterCRL-20180205-210000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 > MasterCRL-20180206-010000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 > MasterCRL-20180206-050000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 > MasterCRL-20180206-090000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 > MasterCRL-20180206-130000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 > MasterCRL-20180206-170000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 > MasterCRL-20180206-210000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 > MasterCRL-20180207-010000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 > MasterCRL-20180207-073614.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 > MasterCRL-20180207-090000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 > MasterCRL-20180207-130000.der > -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 > MasterCRL-20180207-170000.der > lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> > /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der > drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 . > > That looks all correct right? Indicated the master is doing what it > should re CRL's etc. > > I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root > pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok. > > What log should I look at to see some indication that a transfer or > like, "get the CRL list to the new node" is failing? > > > Thanks !! > > > > > > <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/> > Jim Richard > <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> > <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> > <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq> > SYSTEM ADMINISTRATOR III > /(646) 338-8905 / > > > <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP><http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/><http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>PlaceIQ:Landmark > by PlaceIQ > <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/> > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
