Stuart McRobert wrote: > Dear Rob, > > Earlier you commented: > >> You can run ipa-ca-install at any time to add a CA to an existing master. > > Indeed, however if I may suggest it might be useful to also have an alias > > ipa-ca-install-replica > > to clearly indicate it is safe to use this command and it will *not* end > up replacing your current (possibly only) active CA. Experienced admins > may know this couldn't happen, but others may not. I read and searched > for examples first, but one tends to be rather cautious especially once > you realise you only have a single CA installed.
Well, all IPA masters are equals more or less. It would be sort of a stigma to mark one as a replica forever, for the only reason that it wasn't installed first. This would be particularly confusing if the first master was removed. > > Alas in my case I see > >> [root@freeipa02 ~]# ipa-ca-install >> CA is already installed on this host. > > yet > > ipa server-role-find --role "CA server" > > indicates for this server it has status absent, which ties up with other > warnings about there only being one. It looks for the existence of /etc/pki/pki-tomcat/ca/CS.cfg. >> Server name: freeipa02... >> Role name: CA server >> Role status: absent > > I've not worked out why yet. Wondered if it might be installed but not > enabled, and if so, would it have up to date information. Puzzled. My guess is someone tried to install a CA at some point in the past and it failed and they just left it. The installer is not idempotent and there is no CA-specific uninstall so the only way around it is to fully uninstall the master and try again. > > > Dear Satish, > >> All i would say please run multiple CA servers in your ldap >> infrastructure, otherwise you will be in very big trouble like i was >> in... > > Thanks and sorry to hear about the trouble you experienced, clearly I > would like to avoid this happening here too. > > When I installed the FreeIPA servers a few years' ago I honestly didn't > realise the CA hadn't been replicated along with everything else. Then > in a newer version I happened to notice the warning via the web > interface, only one CA server, although it might be useful to also > include how to fix such an omission with the warning. > > As soon as I (and more experienced experts reading) can work out how to > get CA replication operational in this case, I will sleep easier. I > have already noticed the significant impact to services when freeipa01, > our complete server, is even briefly down, which really wasn't my > intention. > > Thanks to all. > > Best wishes > > Stuart _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
