The kra directory doesn't exist anymore but it's still part of backups - i assume i have to reinitialize this host...
On Wed, Apr 30, 2025 at 4:28 PM Rob Crittenden <[email protected]> wrote: > > We aren't sure what it is you've done here. > > Near as I can piece together you have two servers and both had expired > certificates plus the issue where the rewrite configuration wasn't > present causing ACME to not work. > > So you fixed the rewrite configuration then ran ipa-cert-fix on one > server and that fixed it? And then, what, you ran ipa-cert-fix again on > the second server? And that removed the KRA service? > > Do you have the original /var/log/ipaserver-install.log (or > replica-install.log or ipaserver-kra-install.log) on this host with the > missing KRA? Can you confirm that the KRA was actually installed on it? > > Does /etc/pki/pki-tomcat/kra/ exist? > > rob > > Ian Kumlien wrote: > > It used to work, and i have never used --disable-role-check in my life... > > > > On Wed, Apr 30, 2025 at 1:07 PM Florence Blanc-Renaud <[email protected]> > > wrote: > >> > >> Hi, > >> > >> On Wed, Apr 30, 2025 at 10:31 AM Ian Kumlien <[email protected]> wrote: > >>> > >>> On Tue, Apr 29, 2025 at 7:15 PM Florence Blanc-Renaud <[email protected]> > >>> wrote: > >>>> > >>>> Hi, > >>>> > >>>> On Tue, Apr 29, 2025 at 4:39 PM Ian Kumlien via FreeIPA-users > >>>> <[email protected]> wrote: > >>>>> > >>>>> On Tue, Apr 29, 2025 at 4:30 PM Rob Crittenden <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>> Ian Kumlien wrote: > >>>>>>> This and changing the permissions on certs pkiuser:pkiuser fixed it on > >>>>>>> that machine, what remains is: > >>>>>>> Error: Local roles CA, DNS, DNSKeySync do not match globally used > >>>>>>> roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not > >>>>>>> be complete enough to restore a fully functional, identical cluster. > >>>>>>> The ipa-backup command failed. See /var/log/ipabackup.log for more > >>>>>>> information > >>>>>> > >>>>>> What is unclear about the message? > >>>>> > >>>>> Alot - it broke by running ipa-cert-fix > >>>>> > >>>>>> An IPA backup is a disaster recovery tool. There is no need to use it > >>>>>> to > >>>>>> back up every single host in a cluster for the reason outlined. > >>>>>> ipa-restore is used when things are completely hosed. It requires that > >>>>>> any existing replicas need to be force re-initialized. > >>>>> > >>>>> It used to work, it worked until i ran ipa-cert-fix > >>>>> > >>>>> To me it sounds more like ipa-cert-fix did something that broke the > >>>>> state of that node. > >>>> > >>>> ipa-cert-fix does one change related to roles: it sets the host where it > >>>> is executed as CA renewal master. It does not remove > >>>> CA/DNS/DNSkeySync/KRA instance. > >>>> Can you show the output of ipa config-show on your 2 nodes? > >>> > >>> Node-1 - where ipa-backup doesn't work anymore: > >>> ipa config-show > >>> Maximum username length: 32 > >>> Maximum hostname length: 64 > >>> Home directory base: /home > >>> Default shell: /bin/bash > >>> Default users group: ipausers > >>> Default e-mail domain: virt.demius.net > >>> Search time limit: 2 > >>> Search size limit: 100 > >>> User search fields: uid,givenname,sn,telephonenumber,ou,title > >>> Group search fields: cn,description > >>> Enable migration mode: False > >>> Certificate Subject base: O=VIRT.DEMIUS.NET > >>> Password Expiration Notification (days): 4 > >>> Password plugin features: AllowNThash > >>> SELinux user map order: > >>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > >>> Default SELinux user: unconfined_u:s0-s0:c0.c1023 > >>> Default PAC types: MS-PAC, nfs:NONE > >>> IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net > >>> IPA master capable of PKINIT: freeipa1.virt.demius.net, > >>> freeipa2.virt.demius.net > >>> IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net > >>> IPA CA renewal master: freeipa2.virt.demius.net > >>> IPA KRA servers: freeipa2.virt.demius.net > >>> IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net > >>> > >>> Node 2 - works after the modifications and some workarounds: > >>> ipa config-show > >>> Maximum username length: 32 > >>> Maximum hostname length: 64 > >>> Home directory base: /home > >>> Default shell: /bin/bash > >>> Default users group: ipausers > >>> Default e-mail domain: virt.demius.net > >>> Search time limit: 2 > >>> Search size limit: 100 > >>> User search fields: uid,givenname,sn,telephonenumber,ou,title > >>> Group search fields: cn,description > >>> Enable migration mode: False > >>> Certificate Subject base: O=VIRT.DEMIUS.NET > >>> Password Expiration Notification (days): 4 > >>> Password plugin features: AllowNThash > >>> SELinux user map order: > >>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > >>> Default SELinux user: unconfined_u:s0-s0:c0.c1023 > >>> Default PAC types: MS-PAC, nfs:NONE > >>> IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net > >>> IPA master capable of PKINIT: freeipa1.virt.demius.net, > >>> freeipa2.virt.demius.net > >>> IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net > >>> IPA CA renewal master: freeipa2.virt.demius.net > >>> IPA KRA servers: freeipa2.virt.demius.net > >>> IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net > >>> > >> IMO it's the missing KRA role on freeipa1 that prevents the backup. Are > >> you sure the command used to work? Or maybe you were using ipa-backup > >> --disable-role-check on this specific node? > >> > >> flo > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
