Hi, On Fri, Jun 21, 2019 at 11:01 AM Sina Owolabi via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > Hi Friends > > A few months ago I reported a problem with my FreeIPA domain where my > master IPA server could not start pki-tomcatd, and I could not find > what was causing the problem. > Operations such as host deletion, DNS modifications failed with > "ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)" > on the master but worked on the replicas. > I couldnt find a solution, also after seeking help on the list.
After reviewing the relevant thread it looks like diagnosing the issue was not possible due to lack of logs. > Now the replicas have the same problem, and I wonder if it would be > possible to setup a new master, migrate all existing configuration to > this new master, and recreate the domain on the problematic servers? > If this is kind of clean sweep is possible, can someone more skilled > than I, please advise on how to do this? First make sure you can list users, groups, sudo rules, hbac rules on your existing IPA cluster. Then setup a new IPA instance on a clean host, add replica(s) and then create all the necessary objects like users, groups, sudo rules, HBAC... and then you will have to run ipa-client-install (e.g enroll again) on all the existing clients. Migrating the configuration in one go is not yet possible. Please make sure logs are properly written, use backups and add monitoring for your service certificates. François > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
