Thanks Rob: I did go through the upgrade process again, starting from rolling back my vm snapshot. And, we're good now. I also changed:
ca.crl.MasterCRL.publishOnStart=false to true, which may have helped with the impatient types like me :) Thanks ! <http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq> SYSTEM ADMINISTRATOR III (646) 338-8905 <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/> > On Feb 12, 2018, at 3:40 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Jim Richard via FreeIPA-users wrote: >> Thanks Rob, >> >> Correct, did a clean install on CentOS 7, and then on my CentOS 6 unit >> applied the schema update and then replica prepare, scp'd the file over and >> then replica install on the new CentOS 7 server. >> Plus all the other steps in between of course. >> >> Let me make sure I understand correctly though. >> If I follow the procedure: 8.2. MIGRATING IDENTITY MANAGEMENT FROM RED HAT >> ENTERPRISE LINUX 6 TO VERSION 7 >> should I expect the same CRL list over on my new CentOS 7/FreeIPA 4 server? > > If you disabled CRL generation in the RHEL 6 master and enabled it on > the RHEL 7 master according to the docs then yes, you should see a CRL > being generated. > >> >> Is this something I even need to worry about? >> I saw a comment from you from a while back where you said somehting to the >> effect that CRL's are not super urgent if you're not actually using them. >> But I may not have understood that correctly. >> No though, I am not making use of the FreeIPA CRL in any other way other >> than how FreeIPA system uses it. > > It's not _great_ that the CRL isn't there but it also isn't a show > stopper (for now). I'd recommend running through the documentation again > and confirming that the RHEL 6 CA is no longer generating the CRL. > > Note that the reason we recommend only one do this is that due to timing > it is possible that two CAs in the same infrastructure could generate > different CRLs, both of which would be considered valid (properly > signed, etc). > > rob > >> >> -Jim >> >> >> >>> On Feb 7, 2018, at 5:16 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >>> >>> Jim Richard via FreeIPA-users wrote: >>>> We have a nice simple setup, a single master running 3.0.0-51.el6.centos >>>> and as far as I can tell we're in very good shape, all certs checkout >>>> ok, being monitored, nothing expired. >>>> >>>> Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X >>>> >>>> Carefully follow all the instructions here: >>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index >>>> >>>> Everything goes great, I note that CS.cfg on CentOS lives under >>>> /etc/pki-ca not /var/lib, ok no problem, great, great and then: >>>> >>>> I get to this part of the document: >>>> >>>> 6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly >>>> Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on >>>> the new master CA server. >>>> The file is generated based on the time interval defined in the >>>> /etc/pki/pki- tomcat/ca/CS.cfg file using the >>>> ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 >>>> minutes (4 hours). >>>> If the file exists, the new master CA server is configured correctly, >>>> and you can safely dismiss the previous CA master system. >>>> >>>> And after messing with CS.cfg update interval settings, rebooting etc, I >>>> still get no MasterCRL.bin on the new host. >>>> >>>> Any clues as to what I might be doing wrong? >>>> >>>> Really hard to say without more info I'm sure. >>>> >>>> Can you tell me what to check on the original master before I get >>>> started with all the upgrade steps? >>>> >>>> I have rolled back my virtual machine snapshot so I'm back to >>>> "everything good" state, I think :) >>> >>> I think you need to define what you mean by "upgrade". Did you actually >>> upgrade in-place from RHEL 6 to 7? If so that is not supported. >>> >>> The right producer is to create a new replica on RHEL 7. >>> >>> rob >>> >>>> >>>> On the original master, before upgrade I have: >>>> >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 >>>> MasterCRL-20180205-210000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 >>>> MasterCRL-20180206-010000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 >>>> MasterCRL-20180206-050000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 >>>> MasterCRL-20180206-090000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 >>>> MasterCRL-20180206-130000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 >>>> MasterCRL-20180206-170000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 >>>> MasterCRL-20180206-210000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 >>>> MasterCRL-20180207-010000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 >>>> MasterCRL-20180207-073614.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 >>>> MasterCRL-20180207-090000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 >>>> MasterCRL-20180207-130000.der >>>> -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 >>>> MasterCRL-20180207-170000.der >>>> lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> >>>> /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der >>>> drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 . >>>> >>>> That looks all correct right? Indicated the master is doing what it >>>> should re CRL's etc. >>>> >>>> I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root >>>> pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok. >>>> >>>> What log should I look at to see some indication that a transfer or >>>> like, "get the CRL list to the new node" is failing? >>>> >>>> >>>> Thanks !! >>>> >>>> >>>> >>>> >>>> >>>> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/> >>>> Jim Richard >>>> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> >>>> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> >>>> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq> >>>> SYSTEM ADMINISTRATOR III >>>> /(646) 338-8905 / >>>> >>>> >>>> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP><http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/><http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/><http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>PlaceIQ:Landmark >>>> by PlaceIQ >>>> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>> >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
