Jernej Jakob via FreeIPA-users wrote: > Hi, > > I'm tasked with upgrading our current setup of 3.3.5 on F19 to something more > recent and stable (CentOS 7 or CentOS 8).
There is no 8 yet. > > There were instructions at > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > which is now 404 so I've searched around and found a thread on freeipa-users: > https://www.redhat.com/archives/freeipa-users/2016-April/msg00260.html > This thread also points to the above 404 link and another thread: > https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html > > When I was reading up on this a year or two ago, there were some guides still > up, and I recall there were some commands to check master/replica CA status > and promote/demote tha CAs in V3. I can't find these any more. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#updating-migrating > > There is a section "Procedure in FreeIPA < 4.0" here: > https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > But I do not have a /var/lib/pki-ca, only /var/lib/pki/pki-tomcat so that > doesn't work. > > This was originally a 2-server setup with master-replica, CA and DNS, but due > to a firewall misconfiguration after a system upgrade the replication was > disconnected for some time. When the split was detected due to us editing the > configuration on the master and it not being propagated, we reestablished the > connection but things never got back to fully working (I recall we could only > edit the configuration on the master, any changes on the replica got lost). > We then unenrolled the replica which left us with only the master that is > running currently. Everything including enrolling new clients works so IMO > this means we're left with the CA master, so we'd want to upgrade this to V4 > and have at least 2 replicas back ASAP. > > If I understand things correctly, first we need to check if all the > certificates are valid and if not renew them, then install a V3 replica, > promote/demote the CAs, check if things are working correctly, unenroll the > old V3 master, upgrade the replica (now master) to V4 and install additional > replicas. > > Since this is our production system with ~20 clients, DNS with custom zones, > HBAC, etc I'd not like to experiment a lot with it (we do have backups just > in case). > > I'd highly appreciate if anyone has any suggestions, instructions or an > archived upgrade guide somewhere... You don't need to do all this. What you want to do is something like (mostly off the top of my head, definitely read the docs and come up with a full plan): - ensure you have a CA and that its certs are valid (getcert list | grep expires) - ipa-replica-prepare <your_new_master> - follow https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#migrating-6-7-prereqs - on the new master ipa-replica-install <prepare-file> --setup-ca (--setup-dns if you have it) Ensure everything is working: users are visible, clients can enroll, etc. Create another master from this new one, preferably also with a CA (avoid single point-of-failure). Get the current DNA configuration from the F19 master: $ ldapsearch -D 'cn=directory manager' -W -b "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" Decommission the old master. ipa-replica-manage dnarange-set to configure the uid ranges THEN set the CA renewal master and CRL generator. This all does NOT need to be done incredibly quickly. You can create the new master and let it just run for a week. Once you are happy, then create the second, and so forth You probably don't want it to drag out too long, but this isn't something that needs to be done in a day. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
