[Freeipa-users] How to restore IPA Master/Replicas

Rob Crittenden rcritten at redhat.com
Wed May 23 03:38:38 UTC 2012 

Steven Jones wrote:
> Hi,
>
> Yes I think they are what I put in subversion, basically between satellite and the files below in subversion I should be able to build a complete basic IPA server RHEL6.2 machine....the "interesting" bit is getting my master IPA instance back.
>
>
> =========
> [root at vuwunicoipam001 scripts]# pwd
> /home/jonesst1/subversion/vuwunicoipam001-ods/scripts
> [root at vuwunicoipam001 scripts]# ls -l
> total 32
> -rw-rw-r--. 1 jonesst1 jonesst1 1696 Mar 19 16:04 cacert.p12
> drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 19 16:04 etc
> -rw-rw-r--. 1 jonesst1 jonesst1  206 Mar 19 16:04 nat-fw-down
> -rw-rw-r--. 1 jonesst1 jonesst1 7171 Mar 19 16:07 nat-fw-up
> drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 20 13:39 packages
> -rw-rw-r--. 1 jonesst1 jonesst1   40 Mar 19 16:04 pwdfile.txt
> -rwxrwxr-x. 1 jonesst1 jonesst1 3524 Mar 19 16:04 zzbuild
> [root at vuwunicoipam001 scripts]#

That should be all you need then, that cacert.p12. The token password 
should be the same as the Apache db password.

You can import it using pk12util -i ... as documented.

Then you'll need to create a serial number file. If you don't have the 
old one you can create a new one, you just want to be sure to set the 
starting value at something that hasn't already been issued. Re-issuing 
certs with duplicate serial numbers is not very nice. We start at 1000, 
you can pick any number sufficiently higher. To get a ballpark figure 
you might try something like (this should work in 2.1.x, I tested it in 
2.2.0):

ipa service-find --sizelimit=10000 |grep -i serial
ipa host-find --sizelimit=10000 | grep -i serial

That should show the serial numbers in use assuming you have less than 
10k hosts and services. Should put in the ballpark in any case.

The format looks like:

[selfsign]
nextreplica = 500000
replicainterval = 500000
lastvalue = 1022

Only lastvalue is used, BTW.

For permissions, /var/lib/ipa/ca_serialno should be root:apache mode 
0664. You should probably run restorecon on it too.

To see if things are working you'll want to try to issue a cert.

rob

> =========
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 23 May 2012 9:43 a.m.
> To: Steven Jones
> Cc:<freeipa-users at redhat.com>; Deon Lackey
> Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas
>
> Steven Jones wrote:
>>>  From the 18.8.2 section point 2,
>>
>> "[root at ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/
>> dirsrv/slapd-EXAMPLE-COM"
>>
>> the -o option is the one below?
>>
>> [root at vuwunicoipam001 ~]# find /etc/ -name cacert*
>> /etc/httpd/alias/cacert.p12
>>
>> ?
>>
>> I think an explanation of what Im meant to be looking for might help...
>
> You're using a self-signed CA?
>
> The -o is what you defined as /path/to/cacert.p12. It is wherever you
> want to store the file.
>
> This documentation is incorrect though, I thought I had filed a bug on
> this already. In a self-signed CA the root certificate is in
> /etc/httpd/alias and not in a 389-ds instance at all. So for step 2
> you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias.
>
> What this is doing is creating a file to transport the self-signed CA
> private keys and certificate securely from one location to another.
>
> This is assuming the original master is around. If it is then you can do
> this. If not then you saved /root/cacert.p12 from the initial install,
> right?
>
> rob
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Wednesday, 23 May 2012 8:11 a.m.
>> Cc:<freeipa-users at redhat.com>
>> Subject: [Freeipa-users] How to restore IPA Master/Replicas
>>
>> Hi,
>>
>> My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.
>>
>> Do we have any good docs/procedures for the above?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list