Hi all, We've had problems with our master IPA server, the issue was the second master-replica died due to an issue with the hypervisor and we lost access to the first master as the Let's Encrypt certificates expired. In the meanwhile we got to renew some certificates but the CA master functionality is broken and I get errors of not being able to reach CMS.
Ok so then we salvaged the other server, the replica. We were able to bring it up but it is out of sync with the primary master. This primary master is having issues. pki-tomcat is malfunctioning, able to start but with an error "Subsystem unavailable". I always have to use --ignore-service-failures and --skip-version-check to put the IPA services working. So our objective now is to remove this primary master from the topology and promote other server to be DNSSEC key master and CA Master. First question about CA Master: To promote a replica to CA master is this all I have to do? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/moving-crl-gen-old Second question about DNSSEC Key Master: We disabled the dnssec key master with the command ipa-dns-install --disable-dnssec-master finished: Done configuring DNS key synchronization service (ipa-dnskeysyncd). Unconfiguring ods-enforcerd Exporting DNSSEC data before uninstallation Unconfiguring ipa-ods-exporter ipaserver.plugins.dogtag: ERROR ra.find(): Unable to communicate with CMS (500) Unexpected error - see /var/log/ipaserver-install.log for details: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (500) and querying for dnssec key master: ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))' returns: SASL/GSSAPI authentication started SASL username: rmen...@domain.io SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=domain,dc=io> (default) with scope subtree # filter: (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster)) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 however if I make the same query on the replica servers, they still return the DNSSEC Key Master, preventing me to restart dnssec key master on any other server. How can I manually remove this orphaned reference so I can proceed with dnssec key master service restore? I have backed up the kasp.db.backup generated upon disabling the first master. Thank you _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
